b'                                              OFFICE OF THE CHIEF\n                                              FINANCIAL OFFICER\n\n\n\nOffice of Inspector General\xe2\x80\x94Office of Audit\n\n\n\n\n                                              DEPARTMENT OF LABOR (DOL)\n                                              NEW CORE FINANCIAL MANAGEMENT SYSTEM\n                                              (NCFMS)\n                                              PRE-IMPLEMENTATION PERFORMANCE AUDIT\n                                              REPORT\n\n                                              This audit was performed by KPMG LLP (KPMG), an Independent\n                                              Public Accounting Firm, under contract to the U.S. Department of\n                                              Labor, Office of Inspector General, and by acceptance, it becomes\n                                              a report of the Office of Inspector General.\n\n\n\n\n                                                             Assistant Inspector General for Audit\n\n\n\n\n                                                                            Date Issued:       January 13, 2010\n                                                                         Report Number:        22-10-014-13-001\n\x0c\x0c                                         Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                           for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nTable of Contents\nPerformance Auditors\xe2\x80\x99 Report ..................................................................................... 5\n\nResults In Brief .............................................................................................................. 7\n\nResults and Recommendation ................................................................................... 10\n\nObjective 1 \xe2\x80\x93 Was the OCFO\xe2\x80\x99s user acceptance testing designed and executed\nin accordance with Federal, DOL, and system implementation industry\nstandards?................................................................................................................... 10\n\nObjective 2 \xe2\x80\x93 Was the OCFO\xe2\x80\x99s batch interface testing designed and executed\nin accordance with Federal, DOL, and system implementation industry\nstandards?................................................................................................................... 20\n\nObjective 3 \xe2\x80\x93 Was the OCFO\xe2\x80\x99s integration testing designed and executed in\naccordance with Federal, DOL, and system implementation industry\nstandards?................................................................................................................... 21\n\nObjective 4 \xe2\x80\x93 Was the OCFO\xe2\x80\x99s mock data conversion testing designed and\nexecuted in accordance with Federal, DOL, and system implementation\nindustry standards?.................................................................................................... 25\n\nUpdates to Alert Memorandums ................................................................................ 29\n\nAppendices.................................................................................................................. 33\n\nAppendix A \xe2\x80\x93 Background ......................................................................................... 35\n\nAppendix B \xe2\x80\x93 Objectives, Scope, Methodology, and Criteria ................................. 37\n\nAppendix C \xe2\x80\x93 Management Response ...................................................................... 43\n\nAppendix D \xe2\x80\x93 Auditor Reponse ................................................................................. 51\n\nAppendix E \xe2\x80\x93 Acronyms and Abbreviations............................................................. 61\n\n\n\n\n                                                                              New Core Financial Management System\n                                                               3                        Report No. 22-10-014-13-001\n\x0c   Prepared by KPMG LLP, an Independent Public Accounting Firm\n     for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                              New Core Financial Management System\n                   4                    Report No. 22-10-014-13-001\n\x0c                           KPMG LLP                                                      Telephone 202 533 3000\n                           2001 M. Street, NW                                            Fax       202 533 8500\n                           Washington, DC 20036                                          Internet  www.us.kpmg.com\n\n\nJanuary 13, 2010\n\nMr. Elliot P. Lewis, Assistant Inspector General for Audit\nMs. Lisa Fiely, Acting Chief Financial Officer\nUS Department of Labor\n200 Constitution Avenue, N.W\nWashington, D.C. 20210\nPerformance Auditors\xe2\x80\x99 Report\nThe United States (U.S.) Department of Labor (DOL) plans to migrate from its current\ncore financial system, Department of Labor Accounting and Related Systems (DOLAR$),\nto the New Core Financial Management System (NCFMS). The Office of Chief Financial\nOfficer (OCFO) is responsible for the migration of the DOLAR$ to the NCFMS. The\nmigration of these systems is being accomplished using the methodology from DOL\xe2\x80\x99s\nSystem Development Life Cycle Management Manual (SDLCMM) and is scheduled to\ntake place January 14, 2010.\n\nThe Office of Inspector General (OIG) contracted with us to conduct a pre-\nimplementation performance audit of DOL\xe2\x80\x99s NCFMS prior to deployment. From\nNovember 19, 2009, to December 17, 2009, we performed test work related to the\nfollowing four audit objectives:\n\n  1) Was the OCFO\xe2\x80\x99s user acceptance testing designed and executed in accordance\n     with Federal, DOL, and system implementation industry standards?\n  2) Was the OCFO\xe2\x80\x99s batch interface testing designed and executed in accordance with\n     Federal, DOL, and system implementation industry standards?\n  3) Was the OCFO\xe2\x80\x99s integration testing designed and executed in accordance with\n     Federal, DOL, and system implementation industry standards?\n  4) Was the OCFO\xe2\x80\x99s mock data conversion testing designed and executed in\n     accordance with Federal, DOL, and system implementation industry standards?\nWe compared the system migration policies, procedures, and controls the OCFO had in\nplace through December 17, 2009, to industry standards, such as the Institute of\nElectrical and Electronics Engineers (IEEE) standards, and Federal and DOL standards.\n\nWe have identified 11 implementation risks related to the design and execution of user\nacceptance testing, batch interface testing, real-time interface testing and mock data\nconversion. These implementation risks were identified as a result of the work\nperformed related to the four objectives listed above and we have summarized them in\nthis report. We provided the condition, cause, criteria, and effect for each identified risk\nto assist in the timely and successful implementation of NCFMS.\n\nIn addition, as required by the U.S. Government Accountability Office generally accepted\ngovernment auditing standards (GAGAS), we followed up on the prior two Alert\n\n\n\n                                                                 5\n                           KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                           member firm of KPMG International, a Swiss cooperative.\n\x0cMemorandums that were issued during our initial performance audit dated August 21,\n2009, and September 3, 2009.\n\nThe OIG had previously contracted with us to perform a pre-implementation performance\naudit when the NCFMS deployment was originally scheduled for October 14, 2009.\nFrom May 19, 2009, through September 23, 2009, we performed an initial pre-\nimplementation performance audit in the following areas: (1) training, (2) cut-over\nprocess, (3) migration of DOLAR$, (4) interface functionality, (5) the certification and\naccreditation (C&A) of the production environment, (6) change control, (7) segregation of\nduties, and (8) U.S. Standard General Ledger (USSGL) compliance. Based upon our\nfieldwork and in response to the risks that we identified, the OIG issued two Alert\nMemorandums to the OCFO, which were related to the following:\n\n       1. Training had not been appropriately completed by all pertinent DOLAR$ users.\n       2. Cut-over reconciliation procedures had not been appropriately documented.\n\nAs of September 23, 2009, the OCFO decided to delay the implementation of NCFMS\nuntil January 2010.\n\nWe conducted this performance audit in accordance with GAGAS. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our\nresults and recommendation based on our audit objectives.\n\nThis performance audit did not constitute an audit of financial statements in accordance\nwith GAGAS. We were not engaged to, and did not, render an opinion on DOL\xe2\x80\x99s internal\ncontrols over financial reporting or over financial management systems (for purposes of\nthe Office of Management and Budget\xe2\x80\x99s (OMB) Circular No. A-127, Financial\nManagement Systems, as revised). Our audit fieldwork ended on December 17, 2009;\nwe caution that projecting the results of our evaluation to future periods is subject to the\nrisks that controls may become inadequate because of changes in conditions or because\ncompliance with controls may deteriorate.\n\nIt is the responsibility of DOL management to make risk management decisions\nregarding the identified implementation risks and their realizable/potentially realizable\nimpacts on controls and the financial statements. Conditions may exist that mitigate the\nrisk of an identified finding that may not have been identified during our testing. Policy,\npractices, configurations, settings, architecture, auditing, monitoring, and detective\ncontrols may all work to mitigate the risk of an identified weakness. These controls\nshould be identified and considered in the DOL\xe2\x80\x99s risk management decision-making\nprocess.\n\n\n\n\n                                             6\n\x0c                              Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nResults In Brief\n\nThe New Core Financial Management System (NCFMS) was originally planned to be\nimplemented on October 14, 2009. However, as of September 23, 2009, the Office of\nthe Chief Financial Officer (OCFO) decided to delay the implementation of NCFMS until\nJanuary 2010. The OCFO took corrective actions to address previously identified risks\nsince the implementation delay of September 23, 2009. Specifically, the OCFO\nincreased opportunities in the training of the Department of Labor (DOL) employees,\nDOL employees attended these additional training opportunities, and the OCFO refined\nthe NCFMS Cut-Over Procedures from Department of Labor Accounting and Related\nSystems (DOLAR$).\n\nProvided in the table below are the results of our follow-up activities.\n\nObjective Objective Area          Status of Previously Issued Alert Memorandums as\n                                                    of December 17, 2009\n1            Training           We noted that the OCFO continued to increase the\n                                availability of training throughout the remaining months\n                                leading up to the implementation and that DOL\n                                employees took the additional trainings as offered. In\n                                addition, the OCFO involved Subject Matter Experts\n                                (SMEs) and invited representatives from each agency\n                                and business process area to the trainings. Additionally,\n                                we confirmed through corroborative inquiry that the\n                                training environment was moved to the DOL\n                                Headquarters in Washington, D.C. to facilitate attendance\n                                at the training classes.\n2            Cut-Over           The OCFO updated its cutover procedures. Per the\n             Process            updated procedures, an NCFMS Cut-Over Transactions\n                                Workbook (NCTW) will be used to manually track funds\n                                status (funding and spending) in fiscal year (FY) 2010\n                                during the cutover period of NCFMS, and numerous\n                                reconciliations will occur during the cutover period.\n\nBased upon our audit fieldwork since the resumption of the implementation, we\nidentified that the OCFO\xe2\x80\x99s user acceptance, batch interface, integration, and mock\nmigration testing were not designed and executed in accordance with Federal, DOL and\nsystem implementation standards. Specifically we identified, in the table below,\nimplementation risks as of December 17, 2009 that were not properly addressed by the\nOCFO.\n\nObjective Objective Area   Implementation Risks as of December 17, 2009\n1         User           \xe2\x80\xa2 Comprehensive user acceptance testing was not\n          Acceptance       conducted on the NCFMS version planned for\n\n                                                         New Core Financial Management System\n                                              7                    Report No. 22-10-014-13-001\n\x0c                             Prepared by KPMG LLP, an Independent Public Accounting Firm\n                               for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nObjective Objective Area            Implementation Risks as of December 17, 2009\n          Testing                  implementation. (Implementation Risk 1)\n                               \xe2\x80\xa2   DOL users were not involved in all phases of user\n                                   acceptance testing. (Implementation Risk 2)\n                               \xe2\x80\xa2   Evidence could not be obtained to determine if all\n                                   business process requirements under user\n                                   acceptance testing were appropriately tested.\n                                   (Implementation Risk 3)\n                               \xe2\x80\xa2   Reconciliation of standard financial reporting has not\n                                   yet been performed. (Implementation Risk 4)\n2            Interface         \xe2\x80\xa2   A completeness and accuracy validation was not\n             Testing               performed between the batch interfaces and NCFMS.\n                                   (Implementation Risk 5)\n3            Integration       \xe2\x80\xa2   Not all real-time interface requirements were\n             Testing               appropriately tested during the user acceptance test\n                                   phase. (Implementation Risk 6)\n                               \xe2\x80\xa2   Evidence could not be obtained to determine if failed\n                                   integration test cases were corrected and re-tested.\n                                   (Implementation Risk 7)\n                               \xe2\x80\xa2   A completeness and accuracy validation was not\n                                   performed between the real-time interfaces and\n                                   NCFMS. (Implementation Risk 8)\n4            Mock Data         \xe2\x80\xa2   Evidence to determine if a source system data extract\n             Conversion            was validated for completeness could not be obtained.\n                                   (Implementation Risk 9)\n                               \xe2\x80\xa2   Required throughput rates have not yet been reached.\n                                   (Implementation Risk 10)\n                               \xe2\x80\xa2   Mock IV data conversion test results do not include\n                                   evidence that all planned tests to verify the accuracy\n                                   of data migration were performed. (Implementation\n                                   Risk 11)\n\nThe implementation risks identified above present risks to the future integrity and\navailability of the DOL financial data and were caused by the following circumstances:\n\n\xe2\x80\xa2   Numerous software changes after user acceptance testing was completed and the\n    timing of data interface and integration testing of the system was being conducted\n    near the date of the decision to implement were symptomatic of a system\n    development process that was not properly planned from start to finish;\n\n\xe2\x80\xa2   The DOL OCFO\xe2\x80\x99s oversight was not extensive enough to ensure proper acceptance\n    of the testing and mock data conversion results; and\n\n\xe2\x80\xa2   Documentation associated with user acceptance, data interface, integration and\n    mock data conversion testing was not historical and verifiable in a manner that\n\n\n                                                        New Core Financial Management System\n                                             8                    Report No. 22-10-014-13-001\n\x0c                            Prepared by KPMG LLP, an Independent Public Accounting Firm\n                              for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n   supports the ability to verify the completeness and accuracy of test results and\n   related documentation provided by the OCFO.\n\nWe recommend that the OCFO take into consideration the above risks when making its\ndecision to implement the NCFMS.\n\nMANAGEMENT RESPONSE\n\nThe OCFO responded to the draft report and stated that they followed the report\xe2\x80\x99s\nrecommendation and considered in detail the 11 results and discussed the results in\ndetail during the OCFO Change Control Board meeting in consideration of the NCFMS\nreadiness to go forward. The entire OCFO written response to this draft report is\nincluded in Appendix C.\n\nAUDITOR RESPONSE\n\nWe reviewed Management\xe2\x80\x99s Response and updated sections of our report as\nappropriate. We analyzed management\xe2\x80\x99s response to the draft report and found\nnothing in their response that changed our conclusions regarding the implementation\nrisks identified. Please refer to Appendix D for our analysis of Management\xe2\x80\x99s Response\n\n\n\n\n                                                       New Core Financial Management System\n                                            9                    Report No. 22-10-014-13-001\n\x0c                              Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nResults and Recommendation\n\nWe performed procedures to assess whether the U.S. Department of Labor (DOL)\nOffice of the Chief Financial Officer (OCFO) had controls in place to mitigate risks that\nthe implementation of New Core Financial Management System (NCFMS) poses to the\nintegrity, confidentiality, and availability of financial data. The results of our test work\nand the procedures executed during our scope period are described below.\n\nObjective 1 \xe2\x80\x93 Was the OCFO\xe2\x80\x99s user acceptance testing designed and executed in\naccordance with Federal, DOL, and system implementation industry standards?\n\nThe OCFO\xe2\x80\x99s user acceptance testing was not designed and executed in accordance\nwith Federal, DOL and system implementation standards. Details which support our\ndetermination are provided below.\n\nThe objective of user acceptance testing, a critical phase of a system implementation, is\nto have users perform test cases and validate that the system functionality and\nconfigurations meet the defined requirements needed for the financial system. As a\nresult of user acceptance testing, issues relating to software defects can be identified\nand remediated prior to implementing the system in production. Without proper user\nacceptance testing, the risk exists that the system is delivered containing software\ndefects, benefits identified in the business case are not realized, and agencies are\nunable to achieve business needs.\n\nDuring the user acceptance testing conducted for NCFMS, users tested all 11 business\nprocess areas identified in the Gap Analysis Workshops as well as test cases pertaining\nto real-time and batch interfaces. These 11 business areas include the following:\nAcquire-to-Dispose, Record-to-Report (FIN), Record-to-Report (OPS), Request-to-\nProcure, System User Administration, Reimbursable Management, General Ledger\nManagement, Procure-to-Pay, Build-to-Cost, Budget Execution, and Bill-to-Collect.\n\nImplementation Risk 1 \xe2\x80\x93 Comprehensive user acceptance testing was not\nconducted on the NCFMS version planned for implementation.\n\nWhile management executed test cases for the 11 business process areas, the\ncomprehensive set of test cases related to the business process areas and real time\nand batch interfaces was not always executed at each stage of testing. The table on\nthe next page provides details as to the various testing stages and extent of UAT\nconducted during each phase.\n\n\n\n\n                                                         New Core Financial Management System\n                                             10                    Report No. 22-10-014-13-001\n\x0c                                    Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                      for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n     Period User    Extent of\n     Acceptance       User\n       Testing    Acceptance Additional Information Provided over Testing\n      Occurred       Testing                             Phase\n    Mid-August    Full set of    The extent of testing could not be determined due\n    2009          test cases     to a lack of readily available historical information\n                                 that could be verified for the August testing. We\n                                 were informed that the same set of test cases\n                                 were executed in August as September; however,\n                                 the OCFO placed reliance on testing performed in\n                                 September.\n    Mid-September Full set of    Upon review of the September test cases, we\n    2009          test cases     noted that the Procure-to-Pay, Working Capital\n                                 Funds, and Job Corps Funding Allocation System\n                                 (JFAS) interface test cases were not tested as of\n                                 September 21, 2009, but appear in the overall\n                                 testing results from December 2009.\n    October 2009  Re-tested      As a result of the testing completed in September,\n                  Failed Test    issues were identified that required software and\n                  Cases          configuration changes to be made to the system.\n                                 Once these changes were implemented, a more\n                                 limited round of testing was completed in October\n                                 by the OCFO to retest the failed test cases to\n                                 ensure the system issues were remediated.\n    December 23,  Partial set of We were informed that purchase card (PCard) and\n    2009          test cases     cross-agency approvals are scheduled to have\n                                 user acceptance test cases conducted in those\n                                 areas.\n\nIn order to evaluate if changes occurred to the configuration baselines after the full set\nof user acceptance test cases were executed, we obtained and inspected\ndocumentation from the OCFO over the releases implemented in the user acceptance\ntesting environment. Upon inspection of the documentation, we noted that ten NCFMS\nreleases, which include both system changes and configuration changes for NCFMS\nand its interfaces, have been implemented on the NCFMS DOL Customer Instance and\nShared Service Provider (SSP)1 appliance instance since the beginning of September.2\nWe were informed that DOL users were executing user acceptance test cases on\nSeptember 4, 2009, and continued through the third week of September. Therefore, it\nappears that software changes were occurring during and subsequent to the user\nacceptance testing phase in September 2009. Additionally, we noted that not all of the\n\n1\n A Shared Service Provider (SSP) is an organization which provides, in a collaborative manner, a product and/or\nservice to another organization to enable increased effectiveness and efficiency of a function and/or process.\n2\n  The NCFMS system is comprised of two platforms, Financial Management Line of Business (FMLOB) SSP\nAppliance and the DOL NCFMS Customer Appliance. When system changes to software or configuration baselines\nare made, they can be implemented on either instance depending on the type of change. As a result, there are two\ndistinct sets of release numbers and associated SPRs as changes to each appliance are tracked separately.\n\n                                                                    New Core Financial Management System\n                                                       11                     Report No. 22-10-014-13-001\n\x0c                            Prepared by KPMG LLP, an Independent Public Accounting Firm\n                              for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nchanges implemented were made to correct test case failures related to user\nacceptance test results.\n\nThe table below for the SSP Appliance and DOL instance, which make up NCFMS,\ndepict the number of software releases that were implemented to modify the software\nand configuration baselines and include the specific number of changes associated with\neach software release:\n\n                                 SSP Appliance                      DOL Instance\n\n                         Software Build        No. of        Software Build    Number of\n    Software Build            No.            Software           Number          SPRs in\n   Deployment Date                            Problem                           Software\n                                           Reports (SPR)                         Build\n                                            in Software\n                                               Build\n December 12, 2009     SSP-R12-Build-41          35           DOL-Build-23          10\n November 19, 2009     SSP-R12-Build-40          16           DOL-Build-22          7\n November 6, 2009      SSP-R12-Build-39          27           DOL-Build-21          4\n October 23, 2009      SSP-R12-Build-38          11           DOL-Build-20          1\n October 14, 2009      SSP-R12-Build-37          20           DOL-Build-19          3\n October 2, 2009       SSP-R12-Build-36          13           DOL-Build-18          2\n September 25, 2009    SSP-R12-Build-35          11           DOL-Build-17          4\n September 20, 2009    SSP-R12-Build-34          11           DOL-Build-16          6\n September 17, 2009    SSP-R12-Build-33          11           DOL-Build-15          9\n September 10, 2009    SSP-R12-Build-32           2           DOL-Build-14          1\n September 8, 2009     SSP-R12-Build-31           1           DOL-Build-13          4\n September 1, 2009     SSP-R12-Build-30           2           DOL-Build-12          1\n\nUpon review of the software release dates and phases of user acceptance testing, we\ncould not determine whether the phases of testing were completed in an environment\nwith a consistent configuration baseline for both NCFMS and its associated interfaces.\nSpecifically, since the beginning of user acceptance testing, we noted that ten software\nreleases have been implemented in the user acceptance test environment. These\nchanges occurred during and after testing and we could not determine the extent of the\nchanges and the potential impact to system functionality based upon the information\nreceived. We also noted that three of the releases were implemented during the\nmonths of November and December 2009, after the full set of user acceptance test\ncases had been executed. Additionally, we noted that 263 additional test cases were\ntested after September 21, 2009, in the areas of Request-to-Procure, Procure-to-Pay,\nWorking Capital Funds, JFAS, Trust Fund, National Finance Center (NFC), and E-\nGrants. As management did not consider test cases classified as \xe2\x80\x9cothers\xe2\x80\x9d as applicable\nfor execution, these test cases were not conducted.\n\nFurthermore, we were informed that changes were made to the system to correct errors\nidentified in user acceptance testing so that re-testing could be performed. Due to the\n\n                                                       New Core Financial Management System\n                                           12                    Report No. 22-10-014-13-001\n\x0c                             Prepared by KPMG LLP, an Independent Public Accounting Firm\n                               for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nnumerous software releases and the differences in the overall number of test cases\nconducted after the September testing, we cannot determine if a comprehensive set of\ntest cases were tested for system functionality and interdependency between business\nprocesses with the same baseline configurations.\n\nManagement informed us that the majority of the changes implemented affecting\nsystem functionality were made during the months of September and October 2009 in\norder to remediate issues identified during the initial phases of user acceptance testing\nso that they could be re-tested. Additionally, we were informed that when corrections to\nthe software or baseline could be made to correct failed test cases, the build was\nimplemented as soon as possible. Management indicated that this was done so that\nretesting could occur during the user acceptance testing window in which the original\ntest was conducted. While we noted that management has prioritized and implemented\na subset of changes during and after user acceptance testing, we were unable to obtain\nhistorical, verifiable support over the changes and timing of testing performed for each\nchange. As a result, we could not determine whether a comprehensive approach was\ntaken regarding user acceptance testing for all business processes and interfaces.\nFurthermore, without having this information readily available we were unable to fully\nassess the risk associated with the changes implemented or scheduled to be\nimplemented prior to the implementation date.\n\nWe noted that the DOL Systems Development Lifecycle Management Manual\n(SDLCMM), version 2.2, section 6.3.2 states that acceptance testing is conducted in\naccordance with the Acceptance Test Plan finalized earlier in this phase. Users\nparticipate in acceptance testing to confirm that the developed system meets all user\nrequirements identified in the Planning Requirements and Definition Phase.\nAcceptance testing is conducted in a simulated "real" user environment using simulated\nor real target platforms and infrastructures. Acceptance test results are documented in\nan Acceptance Test Report. Upon completion of acceptance testing, the approving\nauthority verifies that the test results have been reviewed and that testing was\nsuccessfully completed.\n\nWe noted that the Institute of Electrical and Electronics Engineers (IEEE) Standard\n(Std) 1012-1998, Software Verification and Validation, Test Certification Section states\nthat test results should be certified by verifying that the tests were conducted using\nbaseline requirements, a configuration control process, and repeatable tests, and by\nwitnessing the tests. Certification may be accomplished at a software configuration item\nlevel or at a system level.\n\nAdditionally, IEEE Std 1008-1987, Software Unit Testing, Appendix A8, User\nImplementation and User Guidelines: User Involvement states that it can be very\neffective to involve those users in determining the requirements-based elements to be\nincluded in the testing. Asking users about their use of the software may bring to light\nvaluable information to be considered during test planning.\n\n\n\n                                                        New Core Financial Management System\n                                            13                    Report No. 22-10-014-13-001\n\x0c                             Prepared by KPMG LLP, an Independent Public Accounting Firm\n                               for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nWe noted that there was not an adequate amount of management oversight pertaining\nto the implementation of DOL system changes as they relate to user acceptance\ntesting. Specifically, the DOL OCFO did not maintain an accurate and complete listing\nof changes that had been implemented in the production environment and when they\nhad been implemented. Additionally, changes were not reviewed and analyzed to\ndetermine if the modifications to the system could impact user functionality. As a result,\nuser acceptance testing was not formally scheduled with DOL users for some smaller\nfunctionality changes that were to be subsequently being made.\n\nIn order to obtain the listing of system and configuration changes, documentation from\nOCFO had to be obtained to determine the timeframe in which the build\nimplementations occurred. Management further informed us that currently the following\ntypes of changes are being developed and implemented for production prior to January\n15, 2010:\n\n\xe2\x80\xa2   Performance improvements (these changes were improvements based upon results\n    obtained through load testing)\n\xe2\x80\xa2   Data migration changes to address errors identified in the data migration software\n\xe2\x80\xa2   PCard Module changes\n\xe2\x80\xa2   Interfaces changes\n\xe2\x80\xa2   Functionality changes\n\nAdditionally, management informed us that performance improvements noted in the\nchange listings were based on the results of the second load testing performed in the\nproduction environment. Since this second round of testing was performed after user\nacceptance testing during the connectivity testing, changes to the system were being\nimplemented at the time of our report preparation.\n\nManagement also indicated that during the initial phases of development and testing for\nNCFMS, the PCard Module functionality was not originally scheduled to be\nimplemented. Due to the system implementation delay, DOL management indicated\nthat the NCFMS contractor now had time to develop and complete the PCard module\nsoftware for the production rollout in January 2010. Therefore, the development of the\nPCard Module occurred after the initial user acceptance testing was completed in\nOctober, and as a result, the associated test cases for the PCard Module functionality\nwere never executed during the initial user acceptance testing. DOL management\nindicated that they plan to schedule the testing in late December 2009.\n\nSubsequent to the end of fieldwork, we received Management\xe2\x80\x99s Response to the draft\nreport (see Appendix C), which indicated that that testing for the PCard Module was\npresently underway.\n\nUpon further discussion regarding the December build, we were informed by the OCFO\nthat a minimal number of SPR changes in the build pertain to functionality issues\nincluding interfaces that would require more user acceptance testing. Additionally, the\nOCFO noted that more user acceptance testing will be conducted over cross-agency\n\n                                                        New Core Financial Management System\n                                            14                    Report No. 22-10-014-13-001\n\x0c                             Prepared by KPMG LLP, an Independent Public Accounting Firm\n                               for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\napprovals and the PCard Module prior to the implementation of the system. However,\nmanagement would have to do some further research to determine which other\nchanges may impact functionality and may require user acceptance testing.\n\nDue to the NCFMS production environment not containing the same software changes\nand configuration settings as the environment in which user acceptance testing was\ncompleted, DOL management is unable to fully rely upon the results obtained during\ntesting. The functionality of the system and the successful results of test cases will be\nreproducible when the set of baselines for both software and configuration settings are\nconsistent between the testing and production environment instances. However, when\nthese instances are not identical, functionality that was tested during the initial phases\nof user acceptance testing may not reflect the functionality that is present in production.\nAs a result, errors may occur in the NCFMS software that limits the system\xe2\x80\x99s ability to\nprocess financial data properly and meet DOL\xe2\x80\x99s financial reporting requirements.\n\nWithout fully testing the PCard Module functionality in the system, DOL management\ndoes not have assurance that the system functionality meets the defined business\nneeds and user expectations. Additionally, untested portions of the system could\ndeliver software defects that may potentially limit DOL\xe2\x80\x99s ability to use the PCard Module\nto execute the necessary business functions.\n\nImplementation Risk 2 \xe2\x80\x93 DOL users were not involved in all phases of user\nacceptance testing.\n\nManagement provided user acceptance test cases and the results of testing performed\nrelated to the DOL business processes, interface, and integration testing for the\nNCFMS. Management also provided evidence of DOL management review and\napproval of these test cases and test results. However, upon review of the\ndocumentation, we were unable to determine, or obtain additional evidence, that DOL\nusers performed user acceptance testing and the timeframe in which it was conducted\nby DOL.\n\nUpon inquiry, OCFO management stated that there was a lack of participation from\nDOL users in the August and September phases of testing. We obtained and inspected\ndocumentation noting the DOL users who participated in the September testing.\nHowever, the listing was not comprehensive, and management informed us that\ndetailed documentation over the test cases performed was not obtained from the users.\nAs a result, the performance of user acceptance testing was supplemented by the\nNCFMS support contractor\xe2\x80\x99s testers.\n\nAfter the completion of the September testing, software builds were implemented to fix\nissues identified during user acceptance testing. Once these changes were\nimplemented, management informed us that the NCFMS support contractor\xe2\x80\x99s testers re-\nperformed the user acceptance test cases that had previously failed to ensure that the\nfunctionality was working appropriately.\n\n\n                                                        New Core Financial Management System\n                                            15                    Report No. 22-10-014-13-001\n\x0c                             Prepared by KPMG LLP, an Independent Public Accounting Firm\n                               for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nAdditionally, management informed us that any changes made to the system since the\nOctober timeframe were tested through the NCFMS contractor\xe2\x80\x99s system life cycle\ndevelopment process. However, no formal user acceptance testing was conducted to\ntest functionality with DOL users. Subsequent to the end of fieldwork, we received\nManagement\xe2\x80\x99s Response to the draft report (see Appendix C), which indicated that that\ntesting for the PCard Module is presently underway.\n\nWe noted that the DOL SDLCMM, version 2.2, section 1.6.3, states that active user\nparticipation is essential at all levels in the definition, design, and development of an IT\nsystem. Users are responsible for initiating and expeditiously resolving issues relating\nto both system development efforts and identification and documentation of\nrequirements. Specifically, the user objectives should (1) provide a quick and\nconsistent review of the requirements; (2) provide statistical information relative to the\nwork processes; (3) develop performance standards; (4) review and refine the functional\nrequirements and their documentation; (5) approve and prioritize requirements; and (6)\nperform user acceptance testing.\n\nAdditionally, DOL SDLCMM, version 2.2, section 6.1 states that during the Development\nand Test Phase, executable software is developed from detailed design specifications.\nThe system is validated through a sequence of unit, integration, system, and\nacceptance test activities. The objective is to ensure the system functions as expected\nand user requirements are satisfied. This phase requires strong user participation in\norder to verify that all requirements have been thoroughly tested and meet all business\nneeds.\n\nFurthermore, we noted that the IEEE Std 1008-1987, Software Unit Testing, Appendix\nA8, User Implementation and User Guidelines: User Involvement, states that it can be\nvery effective to involve those users in determining the requirements-based elements to\nbe included in the testing. Asking users about their use of the software may bring to\nlight valuable information to be considered during test planning.\n\nOCFO management indicated that they made the opportunity available for end users to\nparticipate in the user acceptance testing. However, an insufficient number of DOL\nsystem users participated in the user acceptance testing to complete testing over all of\nthe required test cases. As result, the remaining tests to be performed were completed\nby NCFMS contractor employees and not by DOL users. Additionally, the OCFO\ninformed us that documentation over the number of test cases performed by DOL users\nand those performed by NCFMS contractor employees was not retained.\n\nBy not appropriately conducting user acceptance testing, the risk exists that end users\nwill not be able to validate the system functionality based on the users\xe2\x80\x99 needs or ensure\nestablished functional requirements have been met. Additionally, by failing to\nthoroughly document the users responsible for testing specific test cases, there is a\npotential risk that the appropriate SMEs did not review the results of testing or ensure\nthat adequate testing was performed. As a result, errors may occur in the NCFMS\n\n\n                                                        New Core Financial Management System\n                                            16                    Report No. 22-10-014-13-001\n\x0c                                     Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                       for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nsoftware that limits the system\xe2\x80\x99s ability to process financial data properly and meet\nDOL\xe2\x80\x99s financial reporting requirements.\n\nImplementation Risk 3 \xe2\x80\x93 Evidence could not be obtained to determine if all\nbusiness process requirements under user acceptance testing were appropriately\ntested.\n\nDOL SMEs defined critical business process requirements through Gap Analysis\nworkshops. Based upon these defined requirements, test plans were created in order\nto test system functionality and ensure that the defined requirements were met. To\ndetermine if business process requirements were appropriately tested, we mapped the\nspecified requirements to the test plans and test cases from the cumulative user\nacceptance test results provided by the OCFO. Specifically, gaps were noted in the\ntesting of requirements in the following business process areas:\n\n                                                       Requirements\n                                                        Not Tested\n  Business Process              Requirements            Due to Test           Requirements\n          Area                     Tested              Case Failure            Not Tested*              Total\n Acquire-to-Dispose                  27                      0                      4                    31\n Bill-to-Collect                     13                      0                      6                    19\n Budget Execution                    54                      0                      2                    56\n Build-to-Cost                       18                      0                      1                    19\n General Ledger                      53                      0                     37                    90\n Management\n Procure-to-Pay                        102                      7                     30                 139\n Record-to-Report                      266                      0                     5                  271\n Reimbursable                           16                      1                      4                  21\n Management\n Request-to-Procure                     14                      0                     74                  88\n System User                            13                      0                      3                  16\n Administration\n Working Capital                        20                      1                      2                  23\n Funds\n TOTAL                                 596                      9                    168*                773\n\n*Note 1: The table above shows 168 requirements not tested. This number was derived from 147 requirements that\nwere classified as \xe2\x80\x9cother\xe2\x80\x9d test cases in the user acceptance test results and were not tested, and 21 requirements\nthat were not tested by test cases.\n\nAdditionally, we noted that during the user acceptance testing, each test case was\nclassified as either passing, failing, or other. According to the documentation provided,\nthe test cases were classified as \xe2\x80\x9cother\xe2\x80\x9d if:\n\n\xe2\x80\xa2   the required functionality was not yet implemented,\n\xe2\x80\xa2   the test case was no longer valid to the implementation, or\n\n                                                                     New Core Financial Management System\n                                                        17                     Report No. 22-10-014-13-001\n\x0c                              Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\xe2\x80\xa2   the test case was a duplicate of another test case in a different testing section.\n\nAs a result, the portion of the test cases that were categorized as \xe2\x80\x9cother\xe2\x80\x9d during user\nacceptance testing were not tested, and therefore, gaps in testing of requirements exist.\nHowever, the OCFO informed us that test cases not tested or not covered by other test\ncases were low risk areas, considered similar to other requirements, or out of scope.\nWe could not conclude as to the validity of the OCFO\xe2\x80\x99s statement during our audit\nfieldwork.\n\nIEEE Std 830-1998, IEEE Recommended Practice for Software Requirements and\nSpecifications (SRS), states that an SRS is complete if, and only if, it includes the\nfollowing elements: a) All significant requirements, whether relating to functionality,\nperformance, design constraints, attributes, or external interfaces. In particular, any\nexternal requirements imposed by a system specification should be acknowledged and\ntreated. b) Definition of the responses of the software to all realizable classes of input\ndata in all realizable classes of situations. Note that it is important to specify the\nresponses to both valid and invalid input values. c) Full labels and references to all\nfigures, tables, and diagrams in the SRS and definition of all terms and units of\nmeasure.\n\nIEEE Std 830-1998, IEEE Recommended Practice for SRS, also states that an SRS is\ntraceable if the origin of each of its requirements is clear and if it facilitates the\nreferencing of each requirement in future development or enhancement documentation.\nThe following two types of traceability are recommended: a) Backward traceability (i.e.,\nto previous stages of development). This depends upon each requirement explicitly\nreferencing its source in earlier documents. b) Forward traceability (i.e., to all\ndocuments spawned by the SRS). This depends upon each requirement in the SRS\nhaving a unique name or reference number. The forward traceability of the SRS is\nespecially important when the software product enters the operation and maintenance\nphase. As code and design documents are modified, it is essential to be able to\nascertain the complete set of requirements that may be affected by those modifications.\n\nBusiness process requirements were documented in various design, interface, and gap\nanalysis documents. As a result, requirements over business processes could appear\nin multiple locations and were difficult to map to all the test cases tested during user\nacceptance testing. DOL management confirmed that they also identified several\nrequirement gaps and presented their analysis to the NCFMS contractor. However, the\nNCFMS contractor provided additional information over the test cases that were\nconsidered invalid or not within scope of the testing to further explain why certain gaps\nexisted in the testing of requirements. Specifically, during the Gap Analysis phase, all\nrequirements had test cases developed for them to ensure that the requirements were\nfully tested once the user acceptance test phase was initiated. However, as the system\ndevelopment progressed, certain test cases could not be tested because of the lag in\ntiming of the software development of certain system functionality.\n\n\n\n                                                         New Core Financial Management System\n                                             18                    Report No. 22-10-014-13-001\n\x0c                             Prepared by KPMG LLP, an Independent Public Accounting Firm\n                               for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nAdditionally, when some test cases were written, they were written to test compliance\nrequirements for the interfaced applications independent of NCFMS. These interfaced\napplications were developed separately by a subcontractor and the test cases\ndeveloped were considered to be out of the scope of user acceptance testing by the\nOCFO and NCFMS contractor. Furthermore, the OCFO indicated that some of the\nrequirements that could not be mapped to test cases may be accounted for in the\ntesting of other functionality. However, evidence was not provided to substantiate this\ninformation for all of the requirements that were identified as not being tested.\n\nUser acceptance testing is necessary to verify whether the system meets the business\nneeds and user expectations so that the system implemented is functioning as intended\nafter the system implementation date. As a result, errors may occur in the software\nthat limits the system\xe2\x80\x99s ability to process financial data properly and meet DOL\xe2\x80\x99s\nfinancial reporting requirements.\n\nImplementation Risk 4 \xe2\x80\x93 Reconciliation of standard financial reporting has not yet\nbeen performed.\n\nReports including the Statement of Transactions (SF-224), Report on Budget Execution\nand Budgetary Resources (SF-133), and Federal Agencies\xe2\x80\x99 Centralized Trial-Balance\nSystem II (FACTS II) are required to be sent to the U.S. Department of the Treasury\n(Treasury) on either a monthly or quarterly basis. The OCFO tested reports in NCFMS\nfor out-of-the-box functionality; however, no reconciliation of the data between NCFMS\nand DOLAR$ was conducted during user acceptance testing. The OCFO was unable to\nverify that the information contained in the reports is a true representation of the\ninformation contained in the financial system.\n\nOffice of Management and Budget (OMB) Circular No. A-127, Financial Management\nSystems, Revised Transmittal Memorandum No. 1, dated July 23, 1993, section 6\nstates, \xe2\x80\x9cThe Federal government\'s financial management system policy is to establish\ngovernment-wide financial systems and compatible agency systems, with standardized\ninformation and electronic data exchange between central management agency and\nindividual operating agency systems, to meet the requirements of good financial\nmanagement. These systems shall provide complete, reliable, consistent, timely and\nuseful financial management information on Federal government operations to enable\ncentral management agencies, individual operating agencies, divisions, bureaus, and\nother subunits to carry out their fiduciary responsibilities; deter fraud, waste, and abuse\nof Federal government resources; and facilitate efficient and effective delivery of\nprograms through relating financial consequences to program performance.\xe2\x80\x9d\n\nA management decision was made not to place a high level of priority on the validation\nof reports prior to the implementation of NCFMS. Instead, these reports would be\ncategorized in order of importance and implemented in time for the second quarter of\nFY 2010. Additionally, NCFMS has not yet been updated with all the required\ninformation to populate the reports for validity purposes due to the fact that the data\nmigration has not been fully completed.\n\n                                                        New Core Financial Management System\n                                            19                    Report No. 22-10-014-13-001\n\x0c                             Prepared by KPMG LLP, an Independent Public Accounting Firm\n                               for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nThe accuracy of such reports is imperative due to the analysis and representation that\nthe information presents to Treasury so that government-wide totals are meaningful.\nThe OCFO\xe2\x80\x99s inability to reconcile the data between NCFMS and DOLAR$ before the\nsystem implementation date increases the risk that a large number of reports waiting to\nbe developed may not be implemented into NCFMS by the time the financial reports are\ndue to Treasury and may have increased the risk that proper information is not included\nand reconciled to DOLAR$.\n\nObjective 2 \xe2\x80\x93 Was the OCFO\xe2\x80\x99s batch interface testing designed and executed in\naccordance with Federal, DOL, and system implementation industry standards?\n\nThe OCFO\xe2\x80\x99s batch interface testing was not designed and executed in accordance with\nFederal, DOL and system implementation standards. Details which support our\ndetermination are provided below.\n\nThe purpose of batch interface testing is to evaluate and verify the exchange of data,\ntransmission and control, and processing times. Since data entry into DOLAR$ is either\ndone manually through the user interface or through batch processes, it is imperative\nthat user interface testing is appropriately performed. By not, or without properly\ncompleting interface testing, the risk exists that the interfaces will not function as\nintended once NCFMS is implemented.\n\nThe batch interfaces that were in-scope for our assessment were Central Contact\nRegistration (CCR), JFAS, CitiBank (PCard), Payment Management System (PMS),\nCost Analysis Manager (CAM), GSA Rent, Pitney Bowes, and Unemployment Trust\nFund (UTF). These interfaces were tested during the user acceptance test phase. The\nuser acceptance test phase was designed to test the functionality and interconnectivity\nof the system interfaces. As part of the interconnectivity tests, we performed test steps\nto validate the completeness and accuracy of data being transferred between the\ninterfaces and NCFMS.\n\nManagement developed requirements for each of the interfaces listed above to ensure\nthat the interface would operate as intended once NCFMS is implemented.\nManagement also created test plans to test each of the requirements, and conducted\ntesting to determine if the requirements were being met. If management identified\nissues during testing, management was to remediate the issues and retest the\nrequirement prior to implementing NCFMS into production.\n\nImplementation Risk 5 \xe2\x80\x93 A completeness and accuracy validation was not\nperformed between the batch interfaces and NCFMS.\n\nThe user acceptance test phase was designed to test the functionality and\ninterconnectivity of the batch interfaces. As part of the interconnectivity tests,\nmanagement informed us that they were going to perform test steps to validate the\ncompleteness and accuracy of data being transferred between the interfaces and\n\n                                                        New Core Financial Management System\n                                            20                    Report No. 22-10-014-13-001\n\x0c                             Prepared by KPMG LLP, an Independent Public Accounting Firm\n                               for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nNCFMS. We requested documentation demonstrating the results of the\ninterconnectivity tests for each of the batch interfaces. Based on inspection of the test\nresults, we determined that the interconnectivity tests were not appropriately designed,\nand as a result, tests for completeness and accuracy of data being transferred were not\nperformed.\n\nWe inquired of the OCFO to determine if completeness and accuracy checks had been\nperformed elsewhere. The OCFO informed us that while completeness and accuracy\nchecks were not specifically conducted, the successful completion of the user\nacceptance tests and the interconnectivity tests demonstrate that data is able to be\ntransferred accurately between the interfaces and NCFMS. However, management\nwas unable to provide us with the evidence to substantiate this assertion during testing.\nAs a result, we were unable to determine if completeness and accuracy testing took\nplace.\n\nThe NCFMS User Acceptance Test Plan, Version 1.1, states that integration testing is\nused to \xe2\x80\x9ctest integration software between NCFMS and external systems to validate that\nall integration points are functioning as expected.\xe2\x80\x9d\n\nAccording to the National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-53, Recommended Security Controls for Federal Information\nSystems, an information system should check information for accuracy, completeness,\nvalidity, and authenticity.\n\nOCFO management indicated that they did not perform a specific completeness and\naccuracy validation because they felt that sufficient checks were being performed\nthrough user acceptance testing and interconnectivity testing.\n\nWithout testing the completeness and accuracy of data being transferred between the\nbatch interfaces and NCFMS, errors may occur that limit the system\xe2\x80\x99s ability to process\nfinancial data properly and meet DOL\xe2\x80\x99s financial reporting requirements.\n\nObjective 3 \xe2\x80\x93 Was the OCFO\xe2\x80\x99s integration testing designed and executed in\naccordance with Federal, DOL, and system implementation industry standards?\n\nThe OCFO\xe2\x80\x99s real-time interface testing was not designed and executed in accordance\nwith Federal, DOL and system implementation standards. Details which support our\ndetermination are provided below.\n\nIntegration testing includes the real-time interfaces that connect with the NCFMS. The\npurpose of real-time interface testing is to evaluate and verify the exchange of data,\ntransmission and control, and processing times. Since data entry into DOLAR$ is either\ndone manually through the user interface or through batch processes, it is imperative\nthat system real-time interface testing is appropriately performed. By not properly\ncompleting real-time interface testing, the risk exists that the real-time interface(s) will\nnot function as intended once NCFMS is implemented.\n\n                                                        New Core Financial Management System\n                                            21                    Report No. 22-10-014-13-001\n\x0c                                     Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                       for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nThe real-time interfaces that were included in the scope of our audit were the E-\nProcurement System (EPS) and E-Grants. Management tested both of these real-time\ninterfaces as part of the user acceptance test phase. The user acceptance test phase\nwas designed to test the functionality and interconnectivity of the in-scope systems. As\npart of the interconnectivity tests, test steps were performed to validate the\ncompleteness and accuracy of data being transferred between the interfaces and\nNCFMS.\n\nManagement developed requirements for each of these real-time interfaces to ensure\nthat the interface would operate as intended once NCFMS is implemented.\nManagement created test plans to test each of the requirements, and conducted testing\nto determine if the requirements were being met. If issues were identified during\ntesting, management was to remediate, and retest the requirement prior to\nimplementing NCFMS into production.\n\nImplementation Risk 6 \xe2\x80\x93 Not all real-time interface requirements were\nappropriately tested during the user acceptance test phase.\n\nThe real-time interface requirements that management tested during the user\nacceptance test phase were derived from several requirements documents. These\ndocuments (gap analysis3 and interface design) were the basis for the real-time\ninterface user acceptance test plans. Management should account for all requirements\nidentified in the requirements documents in the user acceptance test plans and then test\nduring the user acceptance test phase.\n\nWe performed a comparison to determine if these requirements were accounted for in\nthe test plans, and then tested during the user acceptance test phase. We noted that\none EPS requirement was missing user acceptance test results:\n\n         Requirement #                                              Requirement Description\nNCFMS-REQ-FUNC-RTP- CONTRACT-                              The EPS Contracting Module shall display\nAPPROVE\xe2\x80\x9332-v1.0                                            all the errors received from the NCFMS\n                                                           interface to the end user\n\nDue to time constraints, the OCFO indicated that they were unable to perform a review\nto ensure that all requirements were appropriately tested during the user acceptance\ntesting phase. While the OCFO represented that this specific requirement did pass user\nacceptance testing, they were unable to provide verifiable evidence demonstrating that\nit was tested during the user acceptance test phase.\n\n\n\n\n3\n Per inquiry with DOL, the gap analysis documents should include all requirements referenced in the interface\nrequirement documents.\n\n                                                                      New Core Financial Management System\n                                                        22                      Report No. 22-10-014-13-001\n\x0c                              Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nWe noted that the Request-to-Procure test plan, which includes EPS\nrequirements, stated that the test plan provides coverage for the requirements\nenumerated in the corresponding gap analysis document.\n\nAdditionally, the NCFMS User Acceptance Test Plan stated that \xe2\x80\x9cthe objectives of user\nacceptance testing are to validate the delivered system matches the formally defined\nrequirements and verify the system meets the requirements identified and defined for\nthe new financial system\xe2\x80\x9d and \xe2\x80\x9cthe system will be considered \xe2\x80\x9cAccepted\xe2\x80\x9d once all\nrequirements that are necessary for [implementation] have been accepted.\xe2\x80\x9d\n\nIEEE Std 830-1998, IEEE Recommended Practice for SRS, states that an SRS is\ncomplete if, and only if, it includes the following elements: a) All significant\nrequirements, whether relating to functionality, performance, design constraints,\nattributes, or external interfaces. In particular, any external requirements imposed by a\nsystem specification should be acknowledged and treated. b) Definition of the\nresponses of the software to all realizable classes of input data in all realizable classes\nof situations. Note that it is important to specify the responses to both valid and invalid\ninput values. c) Full labels and references to all figures, tables, and diagrams in the\nSRS and definition of all terms and units of measure.\n\nIEEE Std 830-1998, IEEE Recommended Practice for SRS, also states that an SRS is\ntraceable if the origin of each of its requirements is clear and if it facilitates the\nreferencing of each requirement in future development or enhancement documentation.\nThe following two types of traceability are recommended: a) Backward traceability (i.e.,\nto previous stages of development). This depends upon each requirement explicitly\nreferencing its source in earlier documents. b) Forward traceability (i.e., to all\ndocuments spawned by the SRS). This depends upon each requirement in the SRS\nhaving a unique name or reference number. The forward traceability of the SRS is\nespecially important when the software product enters the operation and maintenance\nphase. As code and design documents are modified, it is essential to be able to\nascertain the complete set of requirements that may be affected by those modifications.\n\nFailure to appropriately test all of the identified requirements increases the risk that the\ncorresponding interface will not operate as intended in the production environment.\nSpecifically, not testing the requirement identified above increases the risk that a\nsoftware defect that may cause errors in NCFMS will not be detected. This could\npreclude the identification of issues that affect the functionality of the interfaces and/or\nNCFMS. As a result, errors may occur in the system that limit its ability to process\nfinancial data properly and meet DOL\xe2\x80\x99s financial reporting requirements.\n\nImplementation Risk 7 \xe2\x80\x93 Evidence could not be obtained to determine if failed\nintegration test cases were corrected and re-tested.\n\nReal time interfaces were tested as part of the user acceptance test phase. During the\nfirst round of user acceptance testing in August, we noted that of the 415 integration test\ncases executed there were 17 issues identified. We requested documentation\n\n                                                         New Core Financial Management System\n                                             23                    Report No. 22-10-014-13-001\n\x0c                              Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\ndemonstrating that these 17 issues had been remediated and retested; however,\nmanagement was unable to provide us this documentation. The OCFO indicated that\nsince overall user acceptance testing passed for real-time interfaces, it can be inferred\nthat these 17 issues were remediated. However, we noted that management did not\nadequately document the evidence that failed integration test cases were corrected and\nre-tested to support their statement.\n\nThe NCFMS User Acceptance Test Plan, Version 1.1, states that \xe2\x80\x9cthe objectives of\n[user acceptance testing] UAT are to validate the delivered system matches the formally\ndefined requirements and verify the system meets the requirements identified and\ndefined for the new financial system\xe2\x80\x9d and \xe2\x80\x9cthe system will be considered \xe2\x80\x9cAccepted\xe2\x80\x9d\nonce all requirements that are necessary for [implementation] have been accepted.\xe2\x80\x9d\n\nBy failing to ensure that all test cases achieve their desired objective, DOL increases\nthe risk that the real-time interface(s) will not meet business needs and/or user\nexpectations. Specifically, EPS or E-Grants may contain software defects that are not\ncorrected before NCFMS is deployed into production. Additionally, if NCFMS is\ndeployed with issues that are not resolved, and the documentation of how NCFMS\nevolved throughout the testing phases is not retained, management will not be able to\ndetermine how NCFMS was configured at a certain point in time. This could preclude\nthe identification of issues that affect the functionality of the interfaces and/or NCFMS.\nAs a result, errors may occur in the system that limit its ability to process financial data\nproperly and meet DOL\xe2\x80\x99s financial reporting requirements.\n\nImplementation Risk 8 \xe2\x80\x93 A completeness and accuracy validation was not\nperformed between the real-time interfaces and NCFMS.\n\nThe user acceptance test phase was designed to test the functionality and\ninterconnectivity of the real-time interfaces. As part of the interconnectivity tests, we\nwere informed that test steps were going to be performed to validate the completeness\nand accuracy of data being transferred between the interfaces and NCFMS. We\nrequested documentation demonstrating the results of the interconnectivity tests for\neach of the in-scope real-time interfaces. Based on inspection of the test results, we\ndetermined that the interconnectivity tests were not appropriately designed, and as a\nresult, tests for completeness and accuracy of data being transferred were not\nperformed.\n\nWe inquired of the OCFO to determine if completeness and accuracy checks had been\nperformed elsewhere. The OCFO informed us that while completeness and accuracy\nchecks were not specifically conducted, the successful completion of the user\nacceptance tests and the interconnectivity tests demonstrates that data is able to be\ntransferred accurately between the interfaces and NCFMS. However, we noted that\nmanagement was unable to provide us with the evidence to substantiate this assertion\nduring testing. As a result, we were unable to determine if completeness and accuracy\ntesting took place.\n\n\n                                                         New Core Financial Management System\n                                             24                    Report No. 22-10-014-13-001\n\x0c                              Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nThe NCFMS User Acceptance Test Plan, Version 1.1, states that integration testing is\nused to, \xe2\x80\x9ctest integration software between NCFMS and external systems to validate\nthat all integration points are functioning as expected.\xe2\x80\x9d\n\nAccording to the NIST SP 800-53, Recommended Security Controls for Federal\nInformation Systems, an information system should check information for accuracy,\ncompleteness, validity, and authenticity.\n\nOCFO management did not perform a specific completeness and accuracy validation\nbecause they felt that sufficient checks were being performed through user acceptance\ntesting and interconnectivity testing.\n\nWithout testing the completeness and accuracy of data being transferred between the\nreal-time interfaces and NCFMS, there is an increased risk that incorrect data will be\ninput into NCFMS. As a result both data in NCFMS and, in some cases, data in\napplications that interface with NCFMS, may be incomplete or inaccurate. As a result,\nerrors may occur in the system that limit its ability to process financial data properly and\nmeet DOL\xe2\x80\x99s financial reporting requirements.\n\nObjective 4 \xe2\x80\x93 Was the OCFO\xe2\x80\x99s mock data conversion testing designed and\nexecuted in accordance with Federal, DOL, and system implementation industry\nstandards?\n\nThe OCFO\xe2\x80\x99s mock data conversion testing was not designed and executed in\naccordance with Federal, DOL and system implementation standards. Details which\nsupport our determination are provided below.\n\nThe OCFO had developed data conversion processes to migrate data from the legacy\nsystems (including DOLAR$) to NCFMS and to verify the completeness and accuracy of\ndata transfer.\n\nTo identify problems with the data conversion processes and with the data itself, the\nOCFO planned a series of five mock data conversion exercises prior to the system\nimplementation date. The OCFO planned to use the results from subsequent mock\ndata conversion exercises to verify that errors identified in earlier mock data\nconversions had been corrected. As of December 17, 2009, the OCFO has performed\nfour of the five planned mock data conversions. The OCFO planned tests to verify that\ndata was migrated completely and accurately from source data to NCFMS for each\nmock data conversion.\n\nImplementation Risk 9 \xe2\x80\x93 Evidence to determine if a source system data extract\nwas validated for completeness could not be obtained.\n\nWe determined that prior to the mock data conversions, source data to be migrated is\nextracted from DOLAR$ and other source systems. For the Mock IV conversion, the\nOCFO validated the completeness of the DOLAR$ general ledger extract by comparing\n\n                                                         New Core Financial Management System\n                                             25                    Report No. 22-10-014-13-001\n\x0c                               Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                 for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nthe extract to a DOLAR$ trial balance report. However, the OCFO did not provide\ndocumentation to evidence that a validation over the completeness and accuracy of the\nDOLAR$ Documents File extract was performed. The DOLAR$ documents file contains\nsub-ledger data for obligations and grants.\n\nThe NCFMS Grants Management Migration Design, version 1.2, section 4.1.1.1 states,\n\xe2\x80\x9cThe DOLAR$ document file extract will be validated by DOL personnel prior to using in\nthe grant data migration.\xe2\x80\x9d\n\nThe NCFMS Request-To-Procure (Open Obligation) Migration Design, version 1.2,\nsection 4.1.1.1 states, \xe2\x80\x9cThe DOLAR$ document file extract will be validated by DOL\npersonnel prior to using in the Request-to-Procure data migration.\xe2\x80\x9d\n\nManagement indicated that due to resource constraints and competing priorities for\nDOL\xe2\x80\x99s staff and contractors who are supporting the migration of data from DOLAR$ to\nNCFMS, DOL\xe2\x80\x99s staff and contractors were not able to provide evidence that the\nDOLAR$ documents file extract was validated for completeness and accuracy prior to\nthe Mock IV data conversion.\n\nWithout documented evidence that all source system data extracts are validated for\ncompleteness, the risk exists that DOL\xe2\x80\x99s mock data conversion processes and the cut-\nover data migration prior to implementation may not migrate all relevant DOL data into\nNCFMS.\n\nImplementation Risk 10 \xe2\x80\x93 Required throughput rates have not yet been reached.\n\nTo effect the transfer of data from DOLAR$ and other legacy systems to NCFMS, the\nOCFO planned a data conversion process that included automated process steps to\nload legacy system data extracts to staging tables, apply mapping logic to transform\nlegacy data into NCFMS-compatible data, and process the transformed data into\nNCFMS. The OCFO uses the term \xe2\x80\x9cthroughput\xe2\x80\x9d to refer to the percentage of source\nsystem records (i.e., from DOLAR$) that are successfully processed from initial\nextraction to output as NCFMS-compatible records to records in the NCFMS. Source\nsystem records that fail at any point in the data conversion process and consequently\nare not successfully processed into NCFMS are not considered throughput.\nThe NCFMS Data Migration Data Verification Plan, dated December 7, 2008, provides\nthe throughput percentages that are required in order for data conversion to be\nconsidered successful. We noted that the Mock IV data conversion, the most recently\ncompleted mock data conversion exercise, which occurred on October 9, 2009, to\nNovember 6, 2009, yielded the following throughput values:\n\nBusiness Process                                                                Mock IV Throughput\n       Area                         Required Throughput Level                      Percentage\nRequest-to-Procure   99.5% to meet expectations, 99.7% to exceed expectations         97.97%\nSuppliers            99.5% to meet expectations, 99.7% to exceed expectations         95.63%\nProcure-to-Pay       99.5% to meet expectations, 99.7% to exceed expectations         96.20%\n\n\n                                                           New Core Financial Management System\n                                               26                    Report No. 22-10-014-13-001\n\x0c                               Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                 for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nBusiness Process                                                                Mock IV Throughput\n         Area                       Required Throughput Level                      Percentage\nBill-to-Collect      99.5% to meet expectations, 99.7% to exceed expectations        100.00%\nCustomers            100% to meet expectations                                       100.00%\nGrants               99.5% to meet expectations, 99.7% to exceed expectations         99.88%\nAcquire-to-Dispose   99.5% to meet expectations, 99.7% to exceed expectations         98.02%\nBuild-to-Cost        99.5% to meet expectations, 99.7% to exceed expectations        100.00%\nEmployees            99.5% to meet expectations, 99.7% to exceed expectations         73.28%\nGeneral Ledger       100% to meet expectations                                         100%\n\nWhile we noted that action items were documented in the Mock IV control reports to\nresolve errors, we could not obtain evidence to determine if errors identified in the Mock\nIV data conversion were resolved. We noted that Mock V started on November 10,\n2009, and was planned until December 18, 2009. However, final results of the exercise\nwere not available as of the date we completed fieldwork; therefore, we could not\ndetermine if prior errors identified in Mock IV were addressed.\n\nAdditionally, control reports from the Mock IV data conversion exercise identified 66\ndata migration errors or issues, which were manifested in 21,958 individual errors.\nManagement informed us that errors are being communicated to those responsible for\nresolving them through a variety of methods, including mock data conversion results\ndebrief meetings, daily issue update meetings, submission of change control tickets,\nand other outlets. Although DOL has several methods of managing the resolution of\ndata conversion errors, other than the results from subsequent mock data conversions,\nthere is no centralized tracking of error resolution. As a result, we were unable to obtain\nevidence that all data migration errors identified by the Mock IV data conversion were\nbeing tracked through resolution.\n\nBy not tracking all data migration errors identified during the Mock IV data conversion\nthrough resolution, DOL management is relying on the results of the Mock V conversion\nfor definitive information on the status of errors identified by Mock IV. Additionally, since\nMock V results are not scheduled to be reviewed by management until December 24,\n2009, there are a limited number of days prior to the planned go-live date in January\n2010 for the OCFO to correct any remaining errors as may be necessary to achieve the\nrequired throughput levels.\n\nImplementation Risk 11 \xe2\x80\x93 Mock IV data conversion test results do not include\nevidence that all planned tests to verify the accuracy of data migration were\nperformed.\n\nThe OCFO\xe2\x80\x99s Mock IV data conversion documented test results included explicitly\ndocumented test results for 58 of 107 planned data verification tests. Although results\nfor tests of completeness (i.e., to verify aggregate record counts and dollar amounts)\nwere documented for all business processes, test results were not consistently\ndocumented for the planned tests of accuracy. Planned tests for which documented\nresults were not available included tests to verify the accuracy of non-dollar amount\nfields containing data elements such as Common Government-wide Accounting\n\n                                                           New Core Financial Management System\n                                               27                    Report No. 22-10-014-13-001\n\x0c                               Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                 for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nClassification (CGAC) lines, dates, names, descriptions, types, category codes, and\nbank account numbers. Also, for some accuracy tests, the test results were\ndocumented only to the extent that the relevant fields from DOLAR$ and NCFMS were\nboth included in the same worksheet, without any explicit indication that the DOLAR$\nand NCFMS fields had been compared. The OCFO\xe2\x80\x99s contractor informed us that in\nsome such instances the accuracy testing of the relevant fields had consisted of an\nundocumented, haphazard review of field values. The table below shows by business\nprocess the number of planned accuracy verification tests for which the OCFO\xe2\x80\x99s\ncontractor documented results.\n\n                      Number of                    Results Consist\n                       Planned        Tests with     of Limited       Planned     Percentage of\n  Business Process    Verification   Documented     Evidence of      Tests with       Tests\n        Area             Tests         Results     Cursory Review    No Results   Documented\nRequest-to-Procure       22              15              0               7           68.18%\nSuppliers                 4              3               1               0           75.00%\nProcure-to-Pay           16               9              2               5           56.25%\nBill-to-Collect           7               4               1               2          57.14%\nCustomers                 7              2               2               3           28.57%\nGrants                   18              14              0               4           77.78%\nAcquire-to-Dispose        9              4               0               5           44.44%\nBuild-to-Cost            11               2              3               6           18.18%\nEmployees                 5               2              1               2           40.00%\nGeneral Ledger            8              3               0               5           37.50%\nTOTAL                    107             58              10              39          54.21%\n\nAdditionally, the plans for data verification did not always clearly identify how data\nverification should be achieved by the OCFO.\n\nNCFMS DOL Data Migration Strategy Document (Legacy Data Plan) Revised, section\n2.6 states, \xe2\x80\x9cThe migration approach contains the following themes \xe2\x80\xa6 measure and\nverify accuracy and throughput of the migration using the control reports and verification\nmetrics.\xe2\x80\x9d\n\nIEEE/EIA Guide Industry Implementation of International Standard ISO/IEC 12207:\n1995 (ISO/IEC 12207) Standard for Information Technology, Software life cycle\nprocesses, Implementation considerations section 5.5.5.2 states, \xe2\x80\x9cA migration plan\nshall be developed, documented, and executed. The planning activities shall\ninclude users. Items included in the plan shall include the following:\n\n          a)   Requirements analysis and definition of migration,\n          b)   Development of migration tools,\n          c)   Conversion of software product and data,\n          d)   Migration execution,\n          e)   Migration verification, and\n          f)   Support for the old environment in the future.\xe2\x80\x9d\n\n                                                          New Core Financial Management System\n                                              28                    Report No. 22-10-014-13-001\n\x0c                            Prepared by KPMG LLP, an Independent Public Accounting Firm\n                              for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nThe OCFO has not documented the performance and results of each planned data\nverification step. OCFO management represented to us that in some cases they\nexecuted verification tests that involved non-dollar amount fields by performing a\ncursory review and comparison of migrated data to source data.\n\nFailing to document the results for all planned data accuracy verification tests may\nlessen management\xe2\x80\x99s ability to exercise oversight of the performance of data\nverification tests, and as a result, the OCFO\xe2\x80\x99s mock conversion tests may not be\nperformed consistent with management\xe2\x80\x99s intent, which may lead to verification testing\nthat fails to detect instances where records were not accurately converted from source\nsystems to NCFMS. This, in turn, may lead to inaccurate data conversion results during\nthe live data migration that the OCFO will perform during the cut-over period.\n\nUpdates to Alert Memorandums\n\nAdditionally, we monitored the actions taken by DOL to address the two Alert\nMemorandums issued by the Office of Inspector General (OIG) based on the previous\npre-implementation review effort.\n\nUpdate to Alert Memorandum #1 \xe2\x80\x93 Training has not been appropriately completed\nby all pertinent DOLAR$ users.\n\nOn August 21, 2009, the OIG issued an Alert Memorandum, OIG Report Number 22-09-\n014-13-001, noting that 23 percent of the DOLAR$ users had not completed any\nrequired training for NCFMS. Additionally, the Alert Memorandum noted that none of\nthe Procurement-Electronic Purchasing System (EPS), Grants-Electronic Grants, and\nPurchase Cards users had completed any of the required training. The OIG\nrecommended that the Department ensure that all applicable DOL users be assigned\nappropriate roles and responsibilities, and receive adequate training prior to the\nimplementation of NCFMS.\n\nWhile the OCFO agreed with the recommendation and provided DOL users with\nadditional training during September 2009, we were informed by various future NCFMS\nusers that the training offered had not met their needs, and that they have requested\nadditional training. As a result, we noted that the OCFO continued to increase the\navailability of training throughout the remaining months leading up to the\nimplementation. The OCFO involved SMEs and invited representatives from each\nagency and business process area to the trainings. Additionally, we confirmed through\ncorroborative inquiry that the training environment was moved from the NCFMS\ncontractor\xe2\x80\x99s offices in Reston, Va., to the DOL Headquarters in Washington, D.C. to\nfacilitate attendance at the training classes.\n\nUpdate to Alert Memorandum #2 \xe2\x80\x93 Cutover reconciliation procedures were not\nappropriately documented.\n\n\n                                                       New Core Financial Management System\n                                           29                    Report No. 22-10-014-13-001\n\x0c                              Prepared by KPMG LLP, an Independent Public Accounting Firm\n                                for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nOn September 3, 2009, the OIG issued an Alert Memorandum, OIG Report Number 22-\n09-015-13-001, noting that the procedures to perform a reconciliation of all transactions\nrecorded during the cutover period had not been finalized and were in draft as of\nAugust 31, 2009. The OIG recommended the following to the OCFO:\n\n\xe2\x80\xa2   Finalize the policies and procedures related to the process that will occur during the\n    cutover period, including the use of workbooks to record transaction data;\n\xe2\x80\xa2   Make a priority to finalize the procedures to perform the reconciliation of all\n    transactions recorded in workbooks with those recorded in NCFMS, and\n\xe2\x80\xa2   Incorporate the cutover period workbook process into the formal NCFMS training.\n\nIn response to the Alert Memorandum, the OCFO finalized the Cut-Over Plan. We\ninspected the plan and determined that the plan outlines the use of the workbooks that\nwill be used to record transactions throughout the cutover period. We noted that the\nOCFO updated the cutover procedures. Per the policy, a NCFMS Cut-Over\nTransactions Workbook (NCTW) will be used to manually track funds status (funding\nand spending) in FY 2010 during the migration period of NCFMS. The NCFMS queue\nwill be used to hold all transactions processed from e-Travel (E2), EPS, and E-Grants\nduring the cut-over period. Each day, the transactions in the queue will be provided to\nDOL budget offices and OCFO\xe2\x80\x99s Office of Fiscal Integrity (OFI) (sorted by agency) to\nmanage their availability of funds from January 1 \xe2\x80\x93 13, 2010. The OCFO will be\nproviding a daily file from the NCFMS queue to DOL that will list all transactions\nprocessed and approved in E2, EPS, and E-Grants during cut-over. The data in the file\ncan be summarized and recorded in the NCTW for commitments, contract obligations,\nand travel authorizations.\n\nThe policy also included that numerous reconciliations will occur during the cut-over\nperiod. The following is a list of reconciliations to be performed by the responsible\norganization:\n\n\xe2\x80\xa2   OFI will reconcile the NCTW and files provided by the OCFO to the availability of\n    funds to ensure that funds are not exceeded at the allotment and apportionment\n    level.\n\xe2\x80\xa2   Agencies will reconcile funds available to transactions processed in the NCTW and\n    files provided by the OCFO.\n\xe2\x80\xa2   Departmental Budget Center (DBC) will, for small agencies, reconcile funds\n    available to the NCTW and files provided by the OCFO (that include all transactions\n    processed during the cut-over period).\n\xe2\x80\xa2   Office of Financial Systems (OFS) will reconcile all transactions recorded in the\n    NCFMS queue to transactions processed in NCFMS after migration. This will\n    ensure all transactions in the queue are recorded in NCFMS.\n\nThe policy states that supporting documentation will be made available for all\nreconciliations listed above.\n\n                                                         New Core Financial Management System\n                                             30                    Report No. 22-10-014-13-001\n\x0c                            Prepared by KPMG LLP, an Independent Public Accounting Firm\n                              for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nRECOMMENDATION\n\nWe recommend that the OCFO take into consideration these risks when making its\ndecision to implement the NCFMS.\n\nMANAGEMENT RESPONSE\n\nThe OCFO response stated that they followed the report\xe2\x80\x99s recommendation and\nconsidered in detail the 11 risks and discussed the results in detail during the OCFO\nChange Control Board meeting in consideration of the NCFMS readiness to go forward.\nThe OCFO also stated that they believed that the short audit time frame contributed to\nthe challenges in providing historical and verifiable documentation and also led to some\nmisunderstandings associated with the documentation. The entire OCFO written\nresponse to this draft report is included in Appendix C.\n\nAUDITOR RESPONSE\n\nWe reviewed Management\xe2\x80\x99s Response and updated sections of our report as\nappropriate, specifically the Mock IV Throughput Table in Implementation Risk #10.\nHowever, we believe that historical and verifiable documentation supporting user\nacceptance, batch interface, integration, and mock migration testing should have been\navailable for the OCFO to be able to properly oversee the third party contractor\nresponsible for the implementation and to accept the associated deliverables as\nneeded. In addition, we analyzed management\xe2\x80\x99s response to the draft report and found\nnothing in their response that changed our conclusions regarding the implementation\nrisks identified. Please refer to Appendix D for our analysis of Management\xe2\x80\x99s\nResponse.\n\n\n\n\n                                                       New Core Financial Management System\n                                           31                    Report No. 22-10-014-13-001\n\x0c   Prepared by KPMG LLP, an Independent Public Accounting Firm\n     for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                              New Core Financial Management System\n                  32                    Report No. 22-10-014-13-001\n\x0c             Prepared by KPMG LLP, an Independent Public Accounting Firm\n               for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\nAppendices\n\n\n\n\nAppendices\n\n\n\n\n                                        New Core Financial Management System\n                            33                    Report No. 22-10-014-13-001\n\x0c   Prepared by KPMG LLP, an Independent Public Accounting Firm\n     for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                              New Core Financial Management System\n                  34                    Report No. 22-10-014-13-001\n\x0c                            Prepared by KPMG LLP, an Independent Public Accounting Firm\n                              for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n                                                                               Appendix A\nBackground\n\nThe United States (U.S.) Department of Labor (DOL or Department) is comprised of 30\nagencies and more than 17,000 employees located within the District of Columbia and\nin six regions throughout the U.S. The Department\xe2\x80\x99s responsibilities include, but are not\nlimited to, establishing and monitoring standards related to occupational safety, wages\nand hours; unemployment insurance benefits; and re-employment services.\n\nDOL\xe2\x80\x99s financial management functions, processes, and activities are currently\ndistributed across multiple information systems and financial applications, and are all\ncentered on the Department of Labor Accounting and Related Systems (DOLAR$)\nmainframe accounting system. DOLAR$ has been in service since 1989 and has been\nboth enhanced and extended to meet departmental and external requirements. While\nDOLAR$ has been able to meet the Department\xe2\x80\x99s needs, its technology is outdated and\nis no longer able to efficiently and effectively meet the DOL\xe2\x80\x99s financial management\nrequirements.\n\nTo effectively support the organization, DOL plans to migrate from DOLAR$ to a new\ncore financial management system (NCFMS). In July 2008, DOL elected to contract\nwith an external third-party vendor as its Financial Management Line of Business\n(FMLoB) SSP. As such, a third party contractor provided DOL with a preconfigured\nenvironment using a Financial Systems Integration Office (FSIO) certified Commercial\nOff-the-Shelf (COTS) financial management system, Oracle Federal Financials.\nAdditionally, the OCFO\xe2\x80\x99s support contractor plans to perform various configurations of\nthe modules and sub-modules to meet the requirements of the DOL business\nprocesses. These configurations will follow the OMB financial system guidelines.\n\nThrough the implementation of the NCFMS, DOL plans to provide standardized\nproducts, systems, and services to DOL as well as remain aligned with the FMLoB and\nFSIO guidelines. DOL expects costs to be reduced by customizing the preconfigured\nSSP system, services, and infrastructure and by automating previously manual\nprocesses. In addition, DOL plans to maintain an auditable financial system through the\nsystematic implementation of internal controls.\n\nAfter contracting with a support contractor in July 2008, DOL planned a 15-month\nimplementation period that would conclude at the 2009 fiscal year end. The NCFMS\nimplementation was segmented into the following five phases: Conceptual Planning,\nPlanning and Requirements, Design, Development and Testing, and Implementation.\n\nOriginally, DOLAR$ was planned to process its last transaction on September 28, 2009,\nand NCFMS was scheduled to be fully operational by October 14, 2009. However, on\nSeptember 23, 2009, the OCFO postponed the planned deployment of the new system\nuntil January 14, 2010.\n\n\n\n                                                       New Core Financial Management System\n                                           35                    Report No. 22-10-014-13-001\n\x0c   Prepared by KPMG LLP, an Independent Public Accounting Firm\n     for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                              New Core Financial Management System\n                  36                    Report No. 22-10-014-13-001\n\x0c                             Prepared by KPMG LLP, an Independent Public Accounting Firm\n                               for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n                                                                                Appendix B\nObjectives, Scope, Methodology, and Criteria\n\nOBJECTIVES\n\nWe conducted a performance audit of the United States (U.S.) Department of Labor\n(DOL) Office of the Chief Financial Officer\xe2\x80\x99s (OCFO) and contractor\xe2\x80\x99s procedures,\noversight, and controls during the New Core Financial Management System (NCFMS)\nimplementation. We designed and executed our audit procedures to address the\nfollowing audit objectives:\n\n  1) Was the OCFO\xe2\x80\x99s user acceptance testing designed and executed in accordance\n     with Federal, DOL, and system implementation industry standards?\n  2) Was the OCFO\xe2\x80\x99s batch interface testing designed and executed in accordance\n     with Federal, DOL, and system implementation industry standards?\n  3) Was the OCFO\xe2\x80\x99s integration testing designed and executed in accordance with\n     Federal, DOL, and system implementation industry standards?\n  4) Was the OCFO\xe2\x80\x99s mock data conversion testing designed and executed in\n     accordance with Federal, DOL, and system implementation industry standards?\n\nIn addition, we performed follow-up activities on the following previous findings related\nto NCFMS pre-implementation activities and communicated by the OIG as Alert\nMemorandums:\n\n   1) Training has not been appropriately completed by all pertinent Department of\n      Labor Accounting and Related Systems (DOLAR$) users.\n   2) Cutover reconciliation procedures were not appropriately documented.\n\nSCOPE\n\nWe performed procedures to determine if there were any gaps in the planned\nimplementation of NCFMS that pose a risk to the integrity, confidentiality, and\navailability of financial data. We conducted our test work at DOL Headquarters in\nWashington, D.C., and the OCFO\xe2\x80\x99s support contractor\xe2\x80\x99s offices in Reston, Va., during\nthe period of November 19, 2009, through December 17, 2009.\n\nMETHODOLOGY\n\nWe conducted our testing by interviewing DOL and contractor management and staff,\nand inspecting relevant documentation. More specifically, for the four audit objectives,\nwe used the following methodologies:\n\n\n\n\n                                                        New Core Financial Management System\n                                            37                    Report No. 22-10-014-13-001\n\x0c                        Prepared by KPMG LLP, an Independent Public Accounting Firm\n                          for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nObjective 1 \xe2\x80\x93 User Acceptance Testing\n\nWe inquired of the OCFO and contractor members of the NCFMS Team, and\ninspected DOL requirements documents, test cases, and test results in order to\nassess whether user acceptance testing was appropriately completed by DOL\nusers.\n\nTo assess if the user acceptance environment was the same environment that\nwould be put into production and modified based upon the results of user\nacceptance testing, we inspected a listing of when software builds were\nimplemented into the NCFMS and the Shared Service Provider (SSP) Appliance.\nWe also obtained the detailed changes associated with each software release and\nassessed the types of changes made to determine if they could be tied back to\nerrors identified in user acceptance testing. Additionally, we compared the dates\nassociated with each software build to determine if user acceptance testing was\nappropriately performed.\n\nTo assess if user acceptance testing was appropriately performed, we inspected the\nGap Analysis documents to identify the business functional requirements. Based\nupon the requirements identified, we inspected User Acceptance Test Plans,\nassociated test cases, and results to determine if the test cases and results tested\nfor each business case were appropriately documented for each requirement.\n\nTo assess the number of DOL users who participated in user acceptance testing,\nwe inspected the user acceptance test results to assess the extent of which DOL\nusers participated. Additionally, we obtained documentation evidencing the\nOCFO\xe2\x80\x99s re-performance of user acceptance testing and reviewed listings provided\nby the OCFO indicating which DOL users participated in portions of user\nacceptance testing.\n\nObjective 2 \xe2\x80\x93 Interface Testing\n\nWe inquired of the OCFO and contractor members of the NCFMS Team, and\ninspected DOL interface design and requirements documents, test cases, and test\nresults to assess whether batch interface testing was appropriately performed.\n\nTo assess DOL controls relative to the testing of data interfaces between NCFMS\nand other systems, we inspected requirements documentation to determine whether\nit included a list of interfaces, and for each interface, included a functional\ndescription, integration requirements and process flows. We inspected the interface\ndesign documentation for each interface to determine whether the interface\nrequirements were addressed within the interface designs and inspected user\nacceptance test plans and test results to determine if the requirements were\nappropriately tested.\n\n\n\n                                                   New Core Financial Management System\n                                       38                    Report No. 22-10-014-13-001\n\x0c                         Prepared by KPMG LLP, an Independent Public Accounting Firm\n                           for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nWe inspected the interface test plans for the in-scope batch systems that will\ninterface with NCFMS and determined if the test plans covered the interface\nrequirements. We subsequently inspected test results to determine whether testing\nwas completed in accordance with the documented interface requirements and test\nplans.\n\nIf issues were identified during testing, we determined whether or not the issue had\nbeen remediated and the requirement had been retested prior to implementing\nNCFMS into production.\n\nAdditionally, we inspected interconnectivity test results to determine if tests were\nperformed around the completeness and accuracy of data transferred between the\nbatch interfaces and NCFMS.\n\nObjective 3 \xe2\x80\x93 Integration Testing\n\nWe inquired of the OCFO and contractor members of the NCFMS Team, and\ninspected DOL integration design and requirements documents, test cases, and test\nresults to assess whether integration testing was appropriately performed.\n\nTo assess DOL controls relative to the testing of data interfaces between NCFMS\nand other systems, we inspected requirements documentation to determine whether\nit included a list of real-time interfaces, and for each interface, included a functional\ndescription, integration requirements and process flows. We inspected the interface\ndesign documentation for each real-time interface to determine whether the\ninterface requirements were fully addressed within the interface designs and\ninspected user acceptance test plans and test results to determine if the\nrequirements were appropriately tested.\n\nWe inspected the interface test plans for the real-time systems that will interface\nwith NCFMS and determined if the test plans covered the interface integration\nrequirements. We subsequently inspected test results to determine whether testing\nhad been completed in accordance with the documented real-time interface\nrequirements and test plans.\n\nIf issues were identified during testing, we determined whether or not the issue had\nbeen remediated and the requirement had been retested prior to implementing\nNCFMS into production.\n\nAdditionally, we inspected interconnectivity test results to determine if tests were\nperformed around the completeness and accuracy of data transferred between the\nreal-time interfaces and NCFMS.\n\n\n\n\n                                                    New Core Financial Management System\n                                         39                   Report No. 22-10-014-13-001\n\x0c                            Prepared by KPMG LLP, an Independent Public Accounting Firm\n                              for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n    Objective 4 \xe2\x80\x93 Mock Data Conversion\n\n    We inquired of the OCFO and contractor members of the NCFMS Team, and\n    inspected DOL mock data conversion design and verification documents, data\n    conversion control reports, data validation techniques, source data extract\n    procedures, and error tracking methods.\n\n    To assess the mock data conversion process, we reviewed data validation\n    documents and noted the fields to be converted and verified through the mock\n    conversion iterations. We compared the validation fields to the control reports for\n    each business process area to determine if there were any gaps. For gaps that\n    were identified, we inquired of OCFO management to determine if there were\n    explanations for gaps.\n\n    We noted errors identified on the control reports and inquired of OCFO\n    management to determine if errors were being tracked through resolution.\n\n    Additionally, we spoke to, and reviewed the work of, individuals responsible for\n    providing and validating data extracts used as the source data for the conversion to\n    determine if controls helped ensure that source data was complete and accurate.\n\nThe performance audit was conducted in accordance with Government Auditing\nStandards, issued by the Comptroller General of the United States. The system\nimplementation process areas we included in the scope of this performance audit were\nidentified by the DOL, Office of Inspector General using a risk-based approach, which\ntook into account those areas with the highest level of risk associated with the\nimplementation, as well as those that could potentially have an impact on future DOL\nfinancial statements.\n\nCRITERIA\n\nGuidance for our pre-implementation performance audit included, but was not limited to,\nthe following:\n      \xe2\x80\xa2   DOL System Development Life Cycle Management (SDLCM), Version 2.2\n      \xe2\x80\xa2   Office of Management and Budget (OMB) Circular No. A-127: Financial\n          Management Systems\n      \xe2\x80\xa2   National Institute of Standards and Technology (NIST) Special Publication\n          (SP) 800-53, Recommended Security Controls for Federal Information\n          Systems\n      \xe2\x80\xa2   Institute of Electrical and Electronics Engineers (IEEE) Standard (Std) 1012-\n          1998, Software Verification and Validation\n\n\n\n\n                                                       New Core Financial Management System\n                                           40                    Report No. 22-10-014-13-001\n\x0c                     Prepared by KPMG LLP, an Independent Public Accounting Firm\n                       for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\xe2\x80\xa2   IEEE Std 1008-1987, Software Unit Testing\n\xe2\x80\xa2   IEEE Std 830-1998, IEEE Recommended Practice for Software Requirements\n    and Specifications\n\xe2\x80\xa2   IEEE Std 12207:1995, Standard for Information Technology, Software Life\n    Cycle Process\n\n\n\n\n                                                New Core Financial Management System\n                                    41                    Report No. 22-10-014-13-001\n\x0c   Prepared by KPMG LLP, an Independent Public Accounting Firm\n     for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                              New Core Financial Management System\n                  42                    Report No. 22-10-014-13-001\n\x0c                      Prepared by KPMG LLP, an Independent Public Accounting Firm\n                        for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n                                                                         Appendix C\nManagement Response\n\n\n\n\n                                                 New Core Financial Management System\n                                     43                    Report No. 22-10-014-13-001\n\x0cPrepared by KPMG LLP, an Independent Public Accounting Firm\n  for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n                           New Core Financial Management System\n               44                    Report No. 22-10-014-13-001\n\x0cPrepared by KPMG LLP, an Independent Public Accounting Firm\n  for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n                           New Core Financial Management System\n               45                    Report No. 22-10-014-13-001\n\x0cPrepared by KPMG LLP, an Independent Public Accounting Firm\n  for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n                           New Core Financial Management System\n               46                    Report No. 22-10-014-13-001\n\x0cPrepared by KPMG LLP, an Independent Public Accounting Firm\n  for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n                           New Core Financial Management System\n               47                    Report No. 22-10-014-13-001\n\x0cPrepared by KPMG LLP, an Independent Public Accounting Firm\n  for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n                           New Core Financial Management System\n               48                    Report No. 22-10-014-13-001\n\x0cPrepared by KPMG LLP, an Independent Public Accounting Firm\n  for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n                           New Core Financial Management System\n               49                    Report No. 22-10-014-13-001\n\x0c   Prepared by KPMG LLP, an Independent Public Accounting Firm\n     for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                              New Core Financial Management System\n                  50                    Report No. 22-10-014-13-001\n\x0c                           Prepared by KPMG LLP, an Independent Public Accounting Firm\n                             for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n                                                                             Appendix D\nAuditor Response\n\n            Implementation          OCFO Response\n               Risk as of                  dated\n Objective   December 17,             December 24,\n   Area           2009                      2009                 Auditor Response\nUser       Comprehensive          Risk 1 \xe2\x80\x93 Disagree.      Implementation Risk 1 -\nAcceptance user acceptance        UAT encompassed         Based upon the\nTesting    testing was not        1749 test cases (see    documentation reviewed, we\n           conducted on the       Table 1), and met all   could not determine whether\n           NCFMS version          of the valid Go-Live    UAT testing was completed in\n           planned for            requirements for        an environment with a\n           implementation.        NCFM; of the 1749       consistent configuration\n           (Risk 1)               test conducted, 1742    baseline for both NCFMS and\n                                  passed and 7 failed.    its associated interfaces. The\n                                  As confirmed in the     1,749 test cases referred to\n                                  IV&V report, 7 were     the OCFO were completed by\n                                  identified as non-      the end of October. However,\n                                  critical and will be    we noted three software\n                                  resolved post go-       releases have been\n                                  live. Additional        implemented in the user\n                                  testing for P-Card      acceptance test environment.\n                                  functionality is        These changes occurred after\n                                  presently underway.     UAT completion and no\n                                                          evidence was provided by the\n                                                          OCFO to support the position\n                                                          that UAT, which supports the\n                                                          full functionality of the system,\n                                                          was conducted on the\n                                                          NCFMS instance that plans to\n                                                          go-live.\n\n                                                        Subsequent to the issuance\n                                                        of our draft report, the IV&V\n                                                        team issued its final report;\n                                                        however, it did not include\n                                                        any discussion or results\n                                                        associated with UAT testing.\n            DOL users were        Risk 2 \xe2\x80\x93 Disagree.    Implementation Risk 2 \xe2\x80\x93 DOL\n            not involved in all   Approximately 129     could not provide evidence to\n            phases of user        DOL users             support that 129 DOL users\n            acceptance            participated in UAT   were involved in all phases of\n            testing. (Risk 2)     testing including     UAT testing covering the\n                                  specific support from period of August through\n                                  the PMO and from      October. We were informed\n\n                                                      New Core Financial Management System\n                                          51                    Report No. 22-10-014-13-001\n\x0c                             Prepared by KPMG LLP, an Independent Public Accounting Firm\n                               for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n              Implementation          OCFO Response\n                Risk as of                  dated\n Objective     December 17,            December 24,\n   Area            2009                      2009                 Auditor Response\n                                    the IV&V team; this     by OCFO that DOL users did\n                                    represents more         not perform all the UAT test\n                                    than 30% of the         scenarios and that their\n                                    current total number    support contractor conducted\n                                    of DOLAR$ users.        UAT on those test cases not\n                                                            tested by DOL users.\n                                    More than 1,900         Furthermore, the final IV&V\n                                    attended training;      report did not include any\n                                    most of them            discussion or results on UAT,\n                                    received training in    indicating that the OCFO was\n                                    hands-on                placing inappropriate reliance\n                                    workshops; there        on the IV&V team for the\n                                    are more than 1,100     success of UAT testing.\n                                    anticipated NCFMS\n                                    users.                Training is not a substitute for\n                                                          user acceptance testing being\n                                                          performed by users. While it\n                                                          is beneficial for a user to\n                                                          become familiar with system\n                                                          functionality and menus,\n                                                          specific user acceptance test\n                                                          cases were not developed\n                                                          and tested by the users to\n                                                          formally test functionality of\n                                                          the system during the training\n                                                          sessions.\nUser          Evidence could        Risk 3 \xe2\x80\x93 Disagree. In Implementation Risk 3 \xe2\x80\x93 The\nAcceptance    not be obtained       the audit report,     focus of our review was on\nTesting       to determine if all   KPMG identified 600 identifying if all business\n(continued)   business process      unique and valid      process requirements were\n              requirements          requirements (from    included in the planned UAT\n              under user            the gap workshops)    and that the requirements\n              acceptance            required for Go-Live; were actually tested. We\n              testing were          of the 600            noted 168 unique\n              appropriately         requirements,         requirements out of the 773\n              tested. (Risk 3)      KPMG identified       total requirements that were\n                                    only 6 reports as     identified in the OCFO\xe2\x80\x99s gap\n                                    being unavailable for analysis workshops that were\n                                    testing; these        never tested during UAT. The\n                                    reports were          OCFO did not provide\n                                    deferred until after  evidence to support that this\n                                    Go-Live; all other    set of 168 requirements had\n\n                                                        New Core Financial Management System\n                                            52                    Report No. 22-10-014-13-001\n\x0c                          Prepared by KPMG LLP, an Independent Public Accounting Firm\n                            for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n            Implementation         OCFO Response\n              Risk as of                 dated\nObjective    December 17,            December 24,\n  Area           2009                     2009                 Auditor Response\n                                 valid requirements      at least one test case that\n                                 were met by NCFMS       was tested and passed.\n                                 and this result is      Therefore, we determined that\n                                 confirmed by the        not all of the valid business\n                                 IV&V report.            process requirements were\n                                                         tested during UAT.\n\n                                                        Furthermore, the final IV&V\n                                                        report did not include any\n                                                        discussion or results on UAT,\n                                                        indicating that the OCFO was\n                                                        placing inappropriate reliance\n                                                        on the IV&V team for the\n                                                        success of UAT testing.\n            Reconciliation of    Risk 4 \xe2\x80\x93 Agree.        Implementation Risk 4 \xe2\x80\x93 No\n            standard financial   Standard financial     further comments.\n            reporting has not    reports are out of the Management agreed with the\n            yet been             box functionality      risk as stated in the report.\n            performed. (Risk     offered by Oracle\n            4)                   Federal Financial as\n                                 a FSIO-certified\n                                 COTS financial\n                                 management\n                                 software application\n                                 (and thus tested by\n                                 Oracle pending\n                                 certification from\n                                 GSA).\n                                 The DOL Trial\n                                 Balance Report was\n                                 verified and\n                                 reconciled by DOL.\n                                 Reconciling the\n                                 remaining financial\n                                 reports containing\n                                 DOL production data\n                                 is planned for after\n                                 Go-Live.\n                                 It should be noted\n                                 that all of the other\n                                 financial reports use\n                                 the trial balance data\n\n                                                     New Core Financial Management System\n                                         53                    Report No. 22-10-014-13-001\n\x0c                          Prepared by KPMG LLP, an Independent Public Accounting Firm\n                            for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n             Implementation       OCFO Response\n               Risk as of                dated\n Objective    December 17,          December 24,\n   Area           2009                    2009                 Auditor Response\n                                sets as their\n                                foundation.\nBatch        A completeness     Risk 5 - Disagree.       Implementation Risk 5 \xe2\x80\x93\nInterface    and accuracy       All interfaces           While the OCFO stated that\nTesting      validation was     including batch and      batch and real-time interfaces\n             not performed      real-time were fully     were tested for completeness\n             between the        tested for               and accuracy during UAT, this\n             batch interfaces   completeness and         testing was not evidenced in\n             and NCFMS          accuracy of the data     the UAT test results provided\n             (Risk 5)           transfer during UAT;     to us by the OCFO for all of\n                                all related test cases   the in-scope interfaces. We\n                                were passed and          noted that the UAT test\n                                confirmed by the         results only demonstrate that\n                                IV&V report.             the functionality of the\n                                This type of testing,    interfaces connecting to\n                                while repeated in the    NCFMS are operating as\n                                course of more           intended. However, they do\n                                recent connectivity      not specifically validate that\n                                testing, was never       data is able to be transferred\n                                intended to be           completely and accurately\n                                repeated during the      between the interfaces and\n                                connectivity tests.      NCFMS.\n                                BLS integration\n                                testing of new           On December 16, 2009, we\n                                Checkbook interface      inquired of the OCFO and\n                                to EPS is completed.     requested documentation to\n                                                         determine if completeness\n                                                         and accuracy testing was\n                                                         performed elsewhere. We\n                                                         were informed that the\n                                                         connectivity test results would\n                                                         include evidence to\n                                                         demonstrate that data is able\n                                                         to be passed between the\n                                                         interfaces and NCFMS\n                                                         completely and accurately.\n                                                         However, we reviewed the\n                                                         connectivity test results and\n                                                         determined that these tests\n                                                         did not include the necessary\n                                                         test steps to validate that data\n                                                         being passed between the\n\n                                                     New Core Financial Management System\n                                         54                    Report No. 22-10-014-13-001\n\x0c                            Prepared by KPMG LLP, an Independent Public Accounting Firm\n                              for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n              Implementation        OCFO Response\n                Risk as of              dated\n Objective     December 17,          December 24,\n   Area            2009                  2009                    Auditor Response\n                                                           interfaces and NCFMS was\n                                                           complete and accurate.\n\n                                                           The BLS integration testing\n                                                           was completed after our\n                                                           fieldwork end date, December\n                                                           17, 2009. Therefore, we\n                                                           cannot comment on it.\nReal-Time     Not all real-time    Risk 6 - Disagree.      Implementation Risk 6 - On\nInterface     interface            Result 6 specifically December 16, 2009 we were\nTesting       requirements         refers to a single test provided the OCFO evidence\n              were                 case related to EPS to satisfy this requirement,\n              appropriately        error messages          which included a screen print\n              tested during the    showing up for the      of one error message. The\n              user acceptance      user; this was          requirement was to ensure\n              test phase. (Risk    passed and              that \xe2\x80\x9call\xe2\x80\x9d error messages were\n              6)                   documentation was       available to users.\n                                   provided to KPMG.       Accordingly, we concluded\n                                   All real-time           that this requirement was not\n                                   requirements were       appropriately tested because\n                                   tested and passed       certain error messages were\n                                   during UAT and          not tested by the UAT.\n                                   confirmed in the\n                                   IV&V report;\n                                   KPMG\'s assessment\n                                   of the requirements\n                                   passing is further\n                                   evidenced in their\n                                   report\'s description\n                                   of the 600\n                                   requirements that\n                                   were tested and\n                                   passed.\nReal-Time     Evidence could       Risk 7 - Disagree.      Implementation Risk 7 \xe2\x80\x93\nInterface     not be obtained      All 17 issues related Throughout our fieldwork, we\nTesting       to determine if      to integration testing requested evidence to\n(continued)   failed integration   identified during       demonstrate that the 17\n              test cases were      UAT were corrected integration issues identified\n              corrected and re-    and passed; this is     were corrected, retested, and\n              tested. (Risk 7)     confirmed in the        followed the change\n                                   IV&V report.            management process. The\n                                                           OCFO did not provide any\n\n                                                       New Core Financial Management System\n                                           55                    Report No. 22-10-014-13-001\n\x0c                           Prepared by KPMG LLP, an Independent Public Accounting Firm\n                             for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n              Implementation       OCFO Response\n                Risk as of             dated\n Objective     December 17,         December 24,\n   Area            2009                 2009                    Auditor Response\n                                                           documented evidence\n                                                           regarding these 17 issues.\n\nReal-Time     A completeness      Risk 8 - Disagree.       Implementation Risk 8 \xe2\x80\x93 We\nInterface     and accuracy        The accuracy and         reviewed the UAT test results\nTesting       validation was      completeness of          for two real-time interfaces\n(continued)   not performed       data exchanged           and determined that\n              between the real-   between systems          completeness and accuracy\n              time interfaces     was performed as         testing was not performed.\n              and NCFMS.          part of UAT in           According to the OCFO\xe2\x80\x99s test\n              (Risk 8)            accordance with the      plans, UAT was designed to\n                                  test plans. All test     validate that the functionality\n                                  results were made        of the real-time interfaces was\n                                  available to the audit   operating as intended.\n                                  team. KPMG               Additionally, based upon the\n                                  incorrectly ascribes     documentation provided by\n                                  expected outcomes        the OCFO, UAT testing did\n                                  to the testing phases    not specifically validate that\n                                  of UAT and               data is able to be transferred\n                                  Connectivity Testing,    completely and accurately\n                                  often using each         between the interfaces and\n                                  term                     NCFMS.\n                                  interchangeably.\n                                  Accuracy and             On December 16, 2009, we\n                                  completeness             inquired of the OCFO and\n                                  testing of data          requested documentation to\n                                  exchanged was not        determine if completeness\n                                  an aim of                and accuracy testing was\n                                  Connectivity testing.    performed elsewhere. We\n                                                           were informed by OCFO that\n                                                           the connectivity test results\n                                                           included evidence to\n                                                           demonstrate that data is able\n                                                           to be passed between the\n                                                           interfaces and NCFMS\n                                                           completely and accurately.\n                                                           We reviewed the connectivity\n                                                           test results and determined\n                                                           that these tests did not\n                                                           include the necessary test\n                                                           steps to validate that data\n                                                           being passed between the\n\n                                                      New Core Financial Management System\n                                          56                    Report No. 22-10-014-13-001\n\x0c                            Prepared by KPMG LLP, an Independent Public Accounting Firm\n                              for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n              Implementation        OCFO Response\n                Risk as of              dated\n Objective     December 17,          December 24,\n   Area            2009                  2009                    Auditor Response\n                                                           interfaces and NCFMS was\n                                                           complete and accurate.\nMock Data     Evidence to          Risk 9 \xe2\x80\x93 Disagree.      Implementation Risk 9 \xe2\x80\x93 On\nConversion    determine if a       Subject Matter          December 11, 2009, we\n              source system        Experts from DOL        requested evidence to\n              data extract was     and the third party     document steps taken to\n              validated for        contractor held         identify the completeness of\n              completeness         workshops for each      source system data extracts\n              could not be         type of data to be      used for Mock IV data\n              obtained. (Risk 9)   extracted. These        conversion. The OCFO did\n                                   workshops were          not provide any documented\n                                   held throughout the     evidence that a validation\n                                   Data Migration          over the completeness and\n                                   Conversions and         accuracy of the DOLAR$\n                                   included detailed       Documents File source\n                                   analysis of the         system data extract was\n                                   validity and            performed.\n                                   completeness of\n                                   each extract. Control   The mock data conversion\n                                   reports were            control reports and other\n                                   produced and            documentation provided by\n                                   reviewed extensively    the OCFO do not contain\n                                   with data owners to     sufficient data to perform such\n                                   validate the            a comparison. In order to\n                                   accuracy and            validate the accuracy and\n                                   completeness of         completeness of a source\n                                   each extract.           system data extract, one\n                                                           would typically need to\n                                                           compare the extract to a\n                                                           report from the source system\n                                                           to determine if the extract was\n                                                           accurate and complete.\n\n\n\n\nMock Data     Required             Risk 10 \xe2\x80\x93 Disagree.     Implementation Risk 10 \xe2\x80\x93\nConversion    throughput rates     KPMG incorrectly        Based upon the response\n(continued)   have not yet         calculates              received from the OCFO, we\n              been reached.        throughput rates.       updated the report on our\n              (Risk 10)            Throughput rates        calculations of throughput\n                                   are based upon valid    attained in the Mock IV data\n\n                                                       New Core Financial Management System\n                                           57                    Report No. 22-10-014-13-001\n\x0c                       Prepared by KPMG LLP, an Independent Public Accounting Firm\n                         for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n            Implementation     OCFO Response\n              Risk as of             dated\nObjective    December 17,       December 24,\n  Area           2009                 2009                  Auditor Response\n                             transactions and do      conversion exercise by: a)\n                             not include              excluding exempted data, and\n                             exempted data.           b) by correcting differences\n                                                      between our initial mapping of\n                                                      datasets to business\n                                                      processes and the OCFO\xe2\x80\x99s\n                                                      mapping. After adjusting our\n                                                      calculations, throughput rates\n                                                      for the Mock IV data\n                                                      conversion still fall short of the\n                                                      throughput rates required by\n                                                      the NCFMS Data Migration\n                                                      Data Verification Plan for five\n                                                      of the ten business process\n                                                      areas. We revised the report\n                                                      accordingly.\n\n                                                      However, for three of the\n                                                      business processes,\n                                                      throughput percentages\n                                                      calculated by the OCFO are\n                                                      higher than the throughput\n                                                      percentages calculated by us.\n                                                      For two of those business\n                                                      processes, we have identified\n                                                      the cause of the discrepancy.\n                                                      For Request-to-Procure and\n                                                      for Procure-to-Pay, the OCFO\n                                                      calculated throughput using\n                                                      an arithmetic average rather\n                                                      than a weighted average.\n                                                      This has the effect of skewing\n                                                      the OCFO\xe2\x80\x99s throughput\n                                                      calculations. For example, for\n                                                      Request-to-Procure, the\n                                                      OCFO calculated throughput\n                                                      by giving equal weight to\n                                                      Grants and Purchase Orders,\n                                                      even though Purchase Orders\n                                                      had almost five times as\n                                                      many records as Grants to be\n                                                      migrated (16,335 records for\n\n                                                  New Core Financial Management System\n                                      58                    Report No. 22-10-014-13-001\n\x0c                             Prepared by KPMG LLP, an Independent Public Accounting Firm\n                               for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n              Implementation         OCFO Response\n                Risk as of               dated\n Objective     December 17,           December 24,\n   Area            2009                   2009                    Auditor Response\n                                                             Purchase Orders versus\n                                                             3,315 records for Grants).\n\nMock Data     Mock IV data          Risk 11 \xe2\x80\x93 Agree. Not     Implementation Risk 11 \xe2\x80\x93 No\nConversion    conversion test       all of the evidence of   further comments.\n(continued)   results do not        data verification        Management agreed with the\n              include evidence      performed for the        risk as stated in the report.\n              that all planned      \xe2\x80\x9cLowest\xe2\x80\x9d levels of\n              tests to verify the   data verification was\n              accuracy of data      available in the form\n              migration were        of an artifact that\n              performed. (Risk      was independent of\n              11)                   the workshops held\n                                    with SMEs and data\n                                    owners.\n\n\n\n\n                                                        New Core Financial Management System\n                                            59                    Report No. 22-10-014-13-001\n\x0c   Prepared by KPMG LLP, an Independent Public Accounting Firm\n     for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                              New Core Financial Management System\n                  60                    Report No. 22-10-014-13-001\n\x0c                         Prepared by KPMG LLP, an Independent Public Accounting Firm\n                           for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                            Appendix E\nAcronyms and Abbreviations\n\nC&A             Certification and Accreditation\nCAM             Cost Analysis Manager\nCCR             Central Contract Registration\nCGAC            Common Government-wide Accounting Classification\nCOTS            Commercial Off the Shelf\nDBC             Departmental Budget Center\nDOL             Department of Labor\nDOLAR$          Department of Labor Accounting and Related Systems\nEPS             E-Procurement System\nFACTS           Federal Agencies\xe2\x80\x99 Centralized Trial-Balance System\nFM              Financial Management\nFMLoB           Financial Management Line of Business\nFSIO            Financial Systems Integration Office\nFY              Fiscal Year\nGAGAS           Generally Accepted Government Auditing Standards\nGAS             Government Auditing Standards\nGCE             Global Computer Enterprises\nIEEE            Institute of Electrical and Electronics Engineers\nJFAS            Job Corps Funding Allocation System\nNCFMS           New Core Financial Management System\nNCTW            NCFMS Cut-Over Transactions Workbook\nNFC             National Finance Center\nNIST            National Institute of Standards and Technology\nOCFO            Office of the Chief Financial Officer\nOFI             Office of Fiscal Integrity\nOFS             Office of Financial Systems\nOIG             Office of Inspector General\nOMB             Office of Management and Budget\nPCARD           Purchase Card\n\n\n                                                    New Core Financial Management System\n                                        61                    Report No. 22-10-014-13-001\n\x0c                 Prepared by KPMG LLP, an Independent Public Accounting Firm\n                   for the U. S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\nPMS      Payment Management System\nSDLCMM   System Development Life Cycle Management Manual\nSME      Subject Matter Expert\nSP       Special Publication\nSPR      Software Problem Reports\nSSP      Shared Service Provider\nSRS      Software Requirements and Specifications\nUAT      User Acceptance Testing\nUS       United States\nUSSGL    US Standard General Ledger\nUTF      Unemployment Trust Fund\n\n\n\n\n                                            New Core Financial Management System\n                                 62                   Report No. 22-10-014-13-001\n\x0c'